I am assisting an organization with deployment and integration of GEN3. The organization has an identity management system that includes a person registry and group registry. People are onboarded into the organization via the person registry using enrollment workflows and once the person is onboarded their identity/roles is/are added to appropriate groups in the group registry. Both the person registry and group registry authenticate users using federated identities made available via eduGAIN/InCommon.
The organization would like enrolled users in the person registry to automatically become users in the GEN3 deployment with some GEN3 policies/roles (perhaps all) managed using membership in groups in the group registry.
For example, if a user is a member of the group project-abc-metadata-submitters in the group registry, then the user should automatically be granted a role metadata-submitter on the resource /projects/project-abc in GEN3 when the user onboards into the identity management system.
Since the person registry and the group registry have plugin capabilities that allow external calls to remote systems, and since both the Fence and Arborist tools have REST APIs, I believe the integration with the identity management system outlined above is possible.
Do the GEN3 identity and access management experts concur?
I note that the Fence API does not appear to include a call to create a user. I think it requires dropping a YAML file into place and executing a command. I can envision an integration where that is accomplished during onboarding with a plugin that is more "sophisticated" than just invoking a REST call on the Fence API.
Does that seem plausible to the GEN3 identity and access management experts?