External Permissions are permissions which do not control access to anything in the TIS system, but instead give access to external functions, defined by the apps and services which read them. TIS is used to store metadata of the permissions, the knowledge of who has which external permission, and to grant and revoke those permissions through APIs and user interfaces.

Defining External Permissions

External Permissions are organised into External Permission Groups. Every permission under one group is managed by the same people, and visible to the same clients and apps. Your application probably will need only one or few permission groups to cover the use cases. You should create a new permission group only if the permissions have different management or visibility requirements.

Creating new External Permission Groups requires a built-in permission “Manage External Permissions”.

Create a new External Permission Group. Configure

• who can manage the group and permissions under it (with read or read+write access),

• who can grant and revoke those permissions, and

• which clients can view these permissions.

Then create External Permissions to the group. You can specify an external ID which is a code you might use in your application and which is provided via external permission query APIs.

Permission management with management console

TODO

Permission management with API

TODO

Granting and revoking external permissions

TODO / Requirements for granting and revoking

With management console

TODO

With API

TODO

Querying user’s external permissions

TODO / Requirements for querying

With management console

TODO

With Management API

TODO

With OpenID Connect claims and UserInfo endpoint

TODO