January 5, 2024 Architecture Team Meeting Notes

Attendees

@Aare Laponin

@Aleksander Reitsakas

@Wes Brown

@Trev Harmon

@PSRAMKUMAR

@Steve Conrad

Apologies

 

 

 

Agenda

Presenter

Duration

Discussion

Follow up on ID/Auth questions

@Steve Conrad

@PSRAMKUMAR

 

30 minutes

Notes from previous conversation: December 15, 2023 Architecture Team Meeting Notes

 

Potential next steps:

  • Walk through a few specific use cases/scenarios to outline/document what authorization needs are

    • Develop design patterns to manage those scenarios

  • Design/Develop reference application with central authentication, decentralized authorization

    • Who participates? What is the process?

  • Need to document how to onboard partner services - is this done in IM or ID or both? How do we propogate/sync this information between IM and ID?

  • Draft at least one approach

  • Separate out Authentication from Authorization into 2 documents.

 

Ramkumar to start developing guidance on Authentication. Work through that and then address Authorization.

 

Vasil to develop a document that outlines the core questions/implementation concerns that you have. From there, could you work with Smita and Trev to outline the flow/process that is needed so that we can identify any gaps in the BB specs or documentation.

Propose to use this document as a baseline - ensure that it accurately frames the issues: Authentication and Cross-BB Authorization

Question: Should we frame multiple approaches or design patterns?

  • Call out that in some cases, central authorization/authentication is desirable, in other cases we don’t want that.

 

Additional Notes:

  • Types of accessors checked (human, back-end systems, apps or browser, robots, hardware, ..)

  • Granularity of access control (Building block, module, API, single API service, single API service for specific tenant or data)

From Technical Committee Meeting:

BBs should not own RBAC - the calling applications are responsible for it. 

Are we using token based authorization within the request to BB?

How to get candidates bypass its own RBAC?

  1. Superuser access to be given when merging with IM backend?

  2. Or control to switch off existing RBAC in target BBs

  3. option to have api token registered in IM at max permission level for specific member entities

  4. come up with a concrete example for this case

PAERA Document

@Aare Laponin

10 minutes

Update on development of Chapter 4 and assign reviewers

Chapter 4 draft is located here: https://docs.google.com/document/d/1dQoUMYhY12KmVGuhTq-zAl5JjR43Sl5n/edit?usp=drive_link&ouid=105470549337303062683&rtpof=true&sd=true

Chapter 4 technical Appendix is here: https://docs.google.com/document/d/1ttmPerUPgef7vbqGVkj4Bh9qrYuA8G8_/edit?usp=drive_link&ouid=105470549337303062683&rtpof=true&sd=true

 

Steve, Trev and Ramkumar to review Chapter 4 and make comments. Reviews to be complete by January 19.

 

Aare is developing Chapter 5 - Implementation Guidelines

  • This will describe how to take the model and apply it to a specific context - from policy all the way to implementation

Explore tooling that would allow us to keep the diagrams in an interactive portal, rather than just pdfs.

 

-

@Steve Conrad

10 minutes

What are the most important conversations for the architecture team in 2024

Future meeting topics list has been moved to Confluence: Tech Committee & Architecture Team Future Topics