Versions Compared

Old Version 7

changes.mady.by.user Vinaya Kumar B

Saved on

compared with

New Version Current

changes.mady.by.user Shailesh Kochhar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Problem Statement 1 

Current problem with Sunbird is any one can create a root-organisation, sub-organisation, user, add user to an existing organisation etc. Further, there is a cyclic problem at system installation time with regard to user and organisation creation. Creation of user requires organisation and creation of organisation requires user. Presently, this cycle dependency is avoided by creating organisation using Keycloak (SSO) admin user token.

Proposed Solution

After successful installation, use an 'initialisation' script to create a system admin (first) user inside Sunbird and Keycloak.

System Admin User Creation

Once system admin user is created, the system admin user can perform following actions:

...

Alternative 1: Storing system admin user details in existing Sunbird user table.

ProsCons
  • No need for a new DB table
  • Existing code can be reused for system admin user CRUD operations
  • Code maintainability is reduced as behaviour of system and normal users can be expected to be different. e.g. Details of system admin may not be required to be stored in registry or shown in user search results


Alternative 2: Storing system admin user details in a new table (e.g. sys_admin_user).

ProsCons
  • Code is easy to maintain as there is separation of normal and system admin users 
  • Additional development effort for maintaining new DB table


In Keycloak, system admin user details can be stored in existing realm or a new realm. Pros and cons of these two alternatives?

Alternative 1: Storing system admin user details in existing Keycloak realm.

ProsCons
  • System admin user can also login to Sunbird Portal
  • Less development effort as existing Keycloak realm is reused
  • Sunbird portal and APIs could involve code changes to customise UI specific to system admin user 

Alternative 2: Storing system admin user details in new Keycloak realm.

ProsCons
  • Restrict system admin users to login to Sunbird Portal as their needs are different and require another portal for administration
  • Additional development effort to support another Keycloak realm
  • In case some APIs (e.g. org admin creation) require to be supported for both system admin and org admin users then two realms need to contacted to authenticate the user

System Admin APIs

1.  Create System Admin User

...

Alternative 1: Create root organisation using existing /v1/org/create API.

ProsCons
  • Reuse existing Org Create API which reduces development effort
  • Request body needs to be checked as well to restrict root organisation creation to specific user groups
  • Code maintainability is reduced in case requirements for root organisation and sub organisation creation diverge over time

Alternative 2: Create root organisation using new /v1/init/root/org/create API.

ProsCons
  • Code is easy to maintain as there is separation in root and sub organisation creation flow
  • Easy to apply different access controls as API for root and sub organisation creation are separated
  • Additional development effort for supporting root organisation CRUD APIs

Method: POST

URL: /v1/init/system/root/org/create

Headers: Authorization, X-Authenticated-User-Token

...

Existing User Create and Assign Roles APIs need to be modified to allow creation of an organisation admin user by a system admin or another organisation admin user only.

System Initialisation Script

Sunbird will provide a system initialisation script to simplify the Sunbird setup process for adopters.

...

  • Create first system admin user
  • Create first root organisation
  • Create first root organisation admin user

Problem statement 2

During user creation, user is added to a root organisation identified by channel property. This channel value can come in Create User API request or can be inferred based on environment variable for default channel (i.e. sunbird_default_channel). The problem with this approach is one more environment variable needs to be set by any Sunbird adopter and particularly an unnecessary setting for an adopter planning to have only one root organisation. In case of a Sunbird adopter with multiple root organisations and environment configuration for Sunbird default channel with a different root organisation, user creations without channel can result in users being silently added to an unintended root organisation which is not desirable.

Proposed Solution

Remove the environment variable sunbird_default_channel. Every time channel will either come from request or system can take it from database based on below logic:

...