Hello,
i’m authenticating with OIDC and a local gitlab instance. I’d like to restrict which gitlab users can use grist.
I don’t see an option to do this.
With grafana for example, i can configure “allowed_groups”. I think grist needs this feature also.
This seems related to Self-hosted, single-org & OIDC: default permissions?, and to this Github issue to support the SCIM API for provisioning users: Support SCIM · Issue #870 · gristlabs/grist-core · GitHub.
Grist currently doesn’t support either giving a default permission to all users, or restricting it to users with a certain attribute. Instead, any user who should have access, needs to be added to a team site in “Manage Team” dialog (or can also be added to an individual document), with a suitable role (Viewer/Editor/Owner).
Grist does have an API for adding users, and I believe some organizations have set things up to automate adding users to Grist using that. I don’t have any examples to follow though.
So I think I have this figured out - I recently setup OIDC with Authelia and was trying to limit authorized access to a Authelia User Database group definitions. In Authelia, I had to use the OIDC Authorization Policy definitions to limit by User Database groups, not in the Access Control section (seemed to do nothing for Grist).
My goal has been to allow for public forms (so GRIST_FORCE_LOGIN = False), but limit actual usage to groups defined in User Database of Authelia (GRIST_ANON_PLAYGROUND = False). Previously, without the OIDC Auth Policy, trying to use the Access Control group limitations did NOT limit to defined groups. Using the OIDC Authorization Policy DOES limit the group. If using Authelia, do not use capitol letters in the Auth Policy name, seems to break the initialization of Authelia.
Some months later, but sharing learnings for other users.