External Permissions are permissions which do not control access to anything in the TIS system, but instead give access to external functions, defined by the apps and services which read them. TIS is used to store metadata of the permissions, the knowledge of who has which external permission, and to grant and revoke those permissions through APIs and user interfaces.

External permissions are supported from ID server version 3.6 onwards.

...

Permission management with management console

TODOOpen the External Permissions view from the main menu. In the table view you will see the permission groups you have at least read access to. You can create, edit, and remove permission groups and permissions within them.

Permission management with API

...

TODO / Requirements for granting and revoking

With management console

TODO

...

Open the Accounts view. Select an user. Select “External permissions” from the Actions menu. A dialog will open showing the user’s external permissions, together with options to revoke or grant more permissions.

With Management API

TODO

Querying user’s external permissions

TODO / Requirements for querying

With management console

TODOWhen querying as an user, the calling user will see only permissions from permission groups where they have read-level management access to.

When querying with Management API Client credentials, the client will see permissions only from permissions groups where it is on the “visible to” list.

When querying with an OAuth2 app, the app will see permissions only from permission groups where it is on the “visible to” list.

With management console

Open the Accounts view. Select an user. Select “External permissions” from the Actions menu. A dialog will open showing the user’s external permissions, together with options to revoke or grant more permissions.

With Management API

TODO

With OpenID Connect claims and UserInfo endpoint

...