External Permissions are permissions which do not control access to anything in the TIS system, but instead give access to external functions, defined by the apps and services which read them. TIS is used to store metadata of the permissions, the knowledge of who has which external permission, and to grant and revoke those permissions through APIs and user interfaces.

External permissions are supported from ID server version 3.6 onwards.

Defining External Permissions

External Permissions are organised into External Permission Groups. Every permission under one group is managed by the same people, and visible to the same clients and apps. Your application probably will need only one or few permission groups to cover the use cases. You should create a new permission group only if the permissions have different management or visibility requirements.

Creating new External Permission Groups requires a built-in permission “Manage External Permissions”.

Create a new External Permission Group. Configure

• who can manage the group and permissions under it (with read or read+write access),

• who can grant and revoke those permissions, and

• which clients can view these permissions.

Then create External Permissions to the group. You can specify an external ID which is a code you might use in your application and which is provided via external permission query APIs.

Permission management with management console

Open the External Permissions view from the main menu. In the table view you will see the permission groups you have at least read access to. You can create, edit, and remove permission groups and permissions within them.

Permission management with API

TODO

Granting and revoking external permissions

TODO / Requirements for granting and revoking

With management console

Open the Accounts view. Select an user. Select “External permissions” from the Actions menu. A dialog will open showing the user’s external permissions, together with options to revoke or grant more permissions.

With Management API

TODO

Querying user’s external permissions

When querying as an user, the calling user will see only permissions from permission groups where they have read-level management access to.

When querying with Management API Client credentials, the client will see permissions only from permissions groups where it is on the “visible to” list.

When querying with an OAuth2 app, the app will see permissions only from permission groups where it is on the “visible to” list.

With management console

Open the Accounts view. Select an user. Select “External permissions” from the Actions menu. A dialog will open showing the user’s external permissions, together with options to revoke or grant more permissions.

With Management API

TODO

With OpenID Connect claims and UserInfo endpoint

TODO