Hi,
Context:
Larger Foundry stacks are managed by a central platform team and are used by many different hubs and spokes in an organization.
The Central Platform Teams reviews the need for Third Party Application (TPA) Service Users, approves the usage towards the hubs and spokes for a certain purpose and creates and shares the client_id and secret.
Foundry generates a dedicated multipass user in the oauth2-realm which can be freely added to all groups or directly attached to projects.
The requestor of the TPA can grant additional permissions to projects that are outside of the approved scope. The central platform team is not informed of this miss-use.
Bonus: We can also restrict the scope of the TPA Service user (e.g. compass:read, compass:write)
Why we cannot do it today:
It’s not supported in the product.
Workarounds:
Monitoring the audit logs for missuse of TPA Service Users.
Benefits:
TPA Service Users are limited to projects and access can not be expanded above the agreed scope with the central platform team.