Role everyone incorrectly set in set_all_auth_role
marde16 opened this issue · comments
The playbook connections-restrict-access.yml
modifies for role everyone the default mapping from everyone
to All Authenticated in Application's Realm
The Connections documentation (https://help.hcltechsw.com/connections/v7/admin/admin/r_admin_common_user_roles.html) says about the Everyone role:
Users with this role can access public pages without signing in to the application. The login page is an example of a page that allows such access.
Do not change the default mapping for this role because it is used internally by HCL Connections. Changing the mapping might affect the ability to log in to the application.
Therefore the setting for everyone should be yes
and the allauth variables should be empty.
- { __role: "everyone", __everyone: "yes", __allauth: '""', __users: '""', __groups: '""', __allauth_trusted: '""', __mappeduseraccessids: '""', __mappedgroupaccessids: '""' }
This script is for the playbook to disable anonymous access. Therefore, the everyone role is set to "no". We'll review the related documentation to more accurately describe anonymous access. Thanks for feedback.
The everyone roles are needed to display the login form. If you set everyone to no, no login is possible!
To disable anonymous access, you have to set reader to authenticated.
You want to set reader, do not touch Everyone!
It is important, that the role reader should be changed from Everyone to Authenticated, but the everyone role has to be Everyone, or Login breaks. Even OIDC will break, because the forward rules end in 404.
We have been using this playbook for internal deployments including OIDC that's why I'd like the documentation to be reviewed to understand more about the discrepancy between automation requirements and documentation.
Closing this per pervious comments, the documentation to be reviewed to understand more about the discrepancy between automation requirements and documentation