[Microsoft Login Connector - Traditional Web] Sync roles removing other application roles
Web icon
Forge component by Paul Davies

Good afternoon,

As we are exploring login with Microsoft Azure, we were taking a closer look to the action SyncRoles to make sure the user has his roles up to date when he logs in.

As we were taking a look, we realized the following:

  • Usually, Azure applications login payload only includes the application roles (e.g. AppA Manager) and does not include roles the same user has on other applications (e.g. AppB Manager);
  • The action will revoke from the user all his current roles in OutSystems database and add the new ones (see code screenshot below);
  • Given the scenario where user is AppA Manager and AppBManager, if we run this sync after user logins via AzureAD in AppA, his AppB Manager role would be revoked. When the user opened another tab for AppB he would not have access.

Do you foresee a new version where this situation gets handled?

For instance, when registering a new application on the Management application, register the roles of that application (like it is done with eSpaces and resources) and adapt the SyncRoles to only revoke the application roles?

Thanks in advance.

Best regards,

João Marques

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.