Safewhere Identify 5.15 Release Notes

New features and improvements

Fine-grained authorization

For simplicity reasons, the new Identify Admin portal originally had only three simple roles: Administrator, Observer, and User. However, with the retirement of the old Admin UI, our customers have increasingly adopted the new Admin interface. As a result, there has been a growing demand for a more fine-grained authorization system to effectively manage user privileges. In response to this, we have introduced several new roles. Some of the most significant ones are:

  • ConfigurationContributor: This role has the ability to view and modify all resources except for Users.
  • ConfigurationObserver: This role can view all resources but does not have permission to modify them. Additionally, it does not have access to view user data.
  • UserContributor: This role has the ability to view and modify user information exclusively, without access to any other resources.

A user can have multiple roles assigned.

Implementation of the new role requires the following changes:

  • Delete the "urn:anyid:role" role claim. The role claim was used to differentiate access to the old and new Admin UI. With the retirement of the old Admin UI, the claim is no longer necessary. If you are creating users using the REST API and assigning this role to them, you need to update your code to exclude the claim. Similarly, any claims transformations issuing this role should be updated.
  • Update the "urn:identify:rest-api:role" role from a single-value discrete claim to a multiple-value claim.
  • Add many predefined role options to the "urn:identify:rest-api:role" role claim.

All the aforementioned changes are made using SQL change scripts. Please note that existing access and refresh tokens will still work after the upgrade.

The functionalities that a user can access in the Admin UI depend on the roles assigned to them. Additionally, if a user has roles that do not grant permission to view or edit their own profile, they will be redirected to the System Information page.

You can refer to Identify Admin's authorization to learn about all the new roles.

Impacted code

This feature requires code changes of the following modules:

  • REST API: Authorization code
  • Configurator: Handling of the role claims.
  • Identify Admin portal: Multiple pages where the new authorization system is applied
  • No code changes related to the Runtime module.

Breaking changes

The new authorization implementation removed the "urn:anyid:role" role claim. If you are creating users using the REST API and assigning this role to them, you need to update your code to exclude the claim. Similarly, any claims transformations issuing this role should be updated.