IDM's default authorization model (access rules) require an openidm-authorized role for enduser access to profile and self-service endpoints. There are four ways to accomplish this:
- Include an authzRoles relationship to the openidm-authorized role in the create request
- Use an onCreate script on the managed/user to auto-add this relationship
- Define defaultUserRoles in authentication.json to include the openidm-authorized role.
- Use virtual property calculation in concert with an onStore script to add the openidm-authorized role to whatever roles are directly or conditionally granted.
Presently, IDM implements option #2 which has unnecessary cost in both storage of the relationship and execution time in validating the relationship and persistence. Research alternatives (#3 and #4 are particularly interesting) and compare performance.