Using OpenId Connect (Identity Server) - ISynchronizingUserService - synched claims are case insensitive - how to delete previous synched role

Bojan S.
Member since: 2014
 

We are using IdentityServer for authentication and authorization into EpiServer.

The problem we have is related to the use case where we need to change ACL for a specific content during importation job where we create/update organization pages from another system (API service). 

We use organization names for role/group names (which, it seems, wasn't a good candidate), where logged in user have editor rights, and that works fine.

Now we have a specific case where organization name has to be changed in the API system, and we need to update ACL for content with another group/role org name. This works as long as the previous group name is totally different. But we had another case where they needed to change only capital letter after being already synched once with EpiServer. And here we have a problem.

If we clear and set IsInherited = false to the content ACL and then add new entries with the new organization name (which is only different by one uppercase letter because of writing convention) and save it, the system picks up the previous group/role org name and ignores the new one (it wasn't created and can't be picked up in Admin -> Set Access Rights -> Add groups).

When some user logs in, it doesn't have permissions as role checking is case sensitive.

But ISynchronizingUserService sync role claims as case insensitive and doesn't allow another entry in tblSynchedUserRole (because of the column LoweredRoleName).

I have found ISynchronizedUsersRepository but there is no method for synced roles deletion.

I want to delete a previous synced organizationName role in order to be able to insert (sync) another one which is case sensitive, in order to be able to assign it as a group/role to the content ACL.

Is there an EpiServer way of programmatically deleting role name from tblSynchedUserRole?

 

Thanks

#202236
Mar 20, 2019 11:45
Johan Kronberg
Member since: 2005
 

I recall those are all internal namespaces and that there's no easy way to modify the table data from code outside.

But...

I haven't had any issues clearing the tbleSynched*-tables directly in the database and I've also had times where I've pre-filled them up with role names.

#202312
Edited, Mar 22, 2019 19:07
Antti Alasvuo
Member since: 2010
 

I've used the same approach as Johan (maybe not the supported way if there actually is any, but gets the job done).

#202328
Mar 24, 2019 21:21