[FEATURE] affirmation stage

[cheggerdev]

Consider the situation of user enrollment that should be affirmed by someone in charge.

After sign up I want to choose someone in charge to affirm me (a guest cannot affirm the sign up).
Depending on the affirmation I get assigned to a certain group. The group membership is associated with permissions both in authentik and in the applications.

Who can do the affirmation speaking in authentik language?

• a created role with the "affirmation privilege" assigned to users and/or groups.
• certain created groups (e.g. teamleader groups) with the "affirmation privilege"
• certain internal users (e.g. teamleaders) with the "affirmation privilege"
• also allow to define the affirmation roles/groups/users by an expression policy
• if only groups are chosen provide a selection if all group members or any group member must do the affirmation

Where should the affirmation stage be in the flow?

• Designation: enrollment
• It should be anywhere after the user write stage with user created as inaktiv
• It should be anywhere after the email stage and/or after 2fa validation stage
• It should be anywhere before the User login stage

What should the affirmation stage do?

• It sends a request by email or sms to an user or to group members to affirm the pending user
• If the request is sent to group members then wait for all or any (depending on settings) incoming affirmations
• Optionally: When the user is affirmed the pending user is activated
• When the user is affirmed he gets assigned to a group the affirming person/group is part by default
• When the user is affirmed he gets assigned to a group as defined by an expression policy
• The user gets notified that he has been affirmed and can login with (additional) permissions granted