Problem statement :
Current problem with sunbird is any one can create rootOrg,suborg , user , add user to org etc. In long term this will impact system behavior. Another cyclic problem is creating user required organisation and creation organisation required user.As of now we are handling organisation creation using keycloak admin user token.
Proposed Solution :
After successful installation call 'Initialisation' script/curl to create a System admin user inside sunbird and keycloak. Once system admin user is created , he/she can perform following actions
- RootOrg creation : Root org can be created only by system admin
- Admin user for RootOrg : RootOrg admin user can be created only by system admin
- Creation of another system admin : One system admin user can create another system admin
- Removing system admin : One system admin can remove another system admin.
Note: System admin details can store as same place as normal user or can be stored on different places all together.
Inside sunbird we can store this user details either in user Table or some new tables (sys_admin) both is having there own pros and cons.
Storing System admin details in user table:
Pros:
* No need to maintain any new table.
* System admin is a user itself , so logically it should be saved in user table.
Cons:
* It won't have all the access as normal user , We need to add unnecessary check other api's.
* User search , here we need to hide system admin details.
* Open-saber should not store system admin user details.
Storing System admin details in different table (Sys-admin)
Pros:
* Details will be separate out from normal user
* Easy to Manage their actions
Cons:
* Overhead of one more table management
Managing system admin user in keyclaok:
If we allow system admin to do all operation as normal sunbird user can do then will create user under same realm other wise will create user another different realm , so that he/she should not be able to login.