@ravisuhag @AkarshSatija @mabdh @bsushmith @singhvikash11 need your help to go through this rfc 🙏

Draft PR which addresses this issues. #167

@rahmatrhd
I think option 2 is better to start with. we can have an API to import access which can be triggered manually and a corresponding cli command e.g.guardian provider import <provide-name> -r <resources>

Flag to identify whether it is imported or not can be generalized. maybe something like. grant: import/policy. There can be a better name for it.

@Chief-Rishab I think adding no policies or no approvers associated with these appeals would not be ideal. There should be an admin page and the admin/approver could revoke this access from users later.

@rahmatrhd let's set up some time to discuss RFC, we can catch up and go through it.

There should be an admin page and the admin/approver could revoke this access from users later.

@singhvikash11 currently anyone with the revoke API access can revoke any appeals, it's not depending on the policy. Apart from that, a policy is being used to determine the approvers, while those imported access are already active access, so we no longer have to set the approvers.

found an edge case: since provider resources are not synced to guardian in real time, when importing existing access from provider, there might be a chance it contains access from newly created resources that haven't been synced to guardian yet. Those access can't be added to guardian unless we also add the new resources to the guardian which will add a side-effect to import access api and makes it not clean (first option). Or the easiest one is, to ignore the access from resources that haven't been synced to guardian.
cc @ravisuhag @bsushmith @singhvikash11 @Chief-Rishab

Can we make a cron job/API to regularly fetch resources first rather than ignoring resources not synced with Guardian.? That would increase the scope for drift management as well but will be good for the end user

@rahmatrhd As part of import access, we should ignore the access of resources that are not registered in Guardian. The drift of resources can be handled separately.

Have thought of merging this import access with the existing FetchResources process since for import access we are doing it for every resource in the provider. We can rename FetchResources to Sync and what happen in that is we are syncing the resources and the access. In this case, since fetch resources already happen through a job, then option 1 and 2 will be implemented altogether. The API that initially only for import access could become /providers/:id/sync (still can have option to sync resources only or access only)

Reason I come with this proposal is, when fetching access from provider we are also fetching the resources again to get the access entries for each. And I think it could be a signal that these process can be merged together

as discussed, we will keep both processes decoupled until we see better use cases or requirements for that.

Import Access will still be done through an API but user can add filter for resources: GET /providers/:id/import-access?resource_types=t1&resource_types=t2&resource_urns=r1. Or if user wants to import access for all resources query ?all=true also can be added.

The function signature for ImportAccess in the provider client would be like this: ImportAccess(*domain.ProviderConfig, []*domain.Resource) error (not final) to give flexibility for user to filter the resources and future use cases

In addition to this, at provider level provider will provide a method that takes resources as input and import access for the provided resources.