Versions Compared

Version Old Version 9 New Version 10
Changes made by

Catalin Tomai

Catalin Tomai

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WIP

OVERVIEW

...

  • the goal is to add three new roles: User Manager, Console Viewer and Junior Admin (see https://www.notion.so/New-System-Roles-Special-Admins-be514029606545e3be3aa3e8c8ba507e
    for current requirements). These new roles will be defined at System scope. They will have access to the System Console - like the System Admin

  • these new roles will have specific rights on the following resources:

    • System Console sections and subsections.

    • config.json settings (through the API config.goget`get`/set `set` endpoints).

    • various API methods that support functionalities exposed in the System Console (e.g. display analytics, link, sync groups) - separate from config settings.

...

The algorithm is as follows:
- if the current user's system role does not have READ or WRITE permission on the resource, the section is hidden for the user.
Example: User Manager does not have PERMISSION_READ_SYSCONSOLE_PLUGINS or PERMISSION_WRITE_SYSCONSOLE_PLUGINS so the Plugins section is hidden from view for a user in a User Manager role.
- if the current user's system role only has READ permission on the resource the resource(section) is disabled
Example: User Manager has PERMISSION_READ_SYSCONSOLE_AUTHENTICATION so the Authentication section is disabled for a user.
- if the current user's system role has a WRITE permission on a sub-section, then irrespective if he has READ or WRITE permission on the parent section, the resulting permission on the subsection is WRITE
Example: User Manager has PERMISSION_WRITE_SYSCONSOLE_USERMANAGEMENT_USERS on the Users sub-section but also PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT on the entire section, the resulting permission is WRITE on the sub-section.

...

Each API call that was previously gated by the MANAGE_SYSTEM permission is now gated by the READ_* permission for the get() calls and WRITE_* permission for the create/patch/update calls.
If we need to have more granular access to an API method that corresponds to the functionality of a sub-section in the System Console (like in the User Manager case), we will gate those calls on a case by case (one panel functionality in the System Console panel can map to more than one API call).


Permissions

See changes detailed above

Schema

No schema changes

REST API

The following API methods will have their gating functionality changes, as follows:

Performance

No performance degradation expected.

Plugins

CREDITS

Thanks to