WIP

OVERVIEW

Add three new System-scoped roles to the product: Junior Admin, User Manager and Console Viewer.

GOALS

1. -

2. -

3. -

SCOPE

In:

• gate System Console sections and subsections access

• gate config.json settings management

• gate API methods.

Out:

• define custom roles

• support plugins permissions

TERMINOLOGY

resources - they can be System Console sections/subsections, config.json settings, API methods.

SPECIFICATIONS

Requirements

• the goal is to add three new roles: User Manager, Console Viewer and Junior Admin (see https://www.notion.so/New-System-Roles-Special-Admins-be514029606545e3be3aa3e8c8ba507e
  for current requirements). These new roles will be defined at System scope. They will have access to the System Console - like the System Admin

• these new roles will possess specific rights on the following resources:

  • System Console sections and subsections.

  • config.json settings (through the API config.go get and set endpoints).

  • various API methods that support functionalities exposed in the System Console (e.g. display analytics, link, sync groups) - separate from config settings.

High-level Architecture

Resources

System Console

The System Console has the following ten main sections (enumerated in the order they are displayed in the UX):

About
Reporting
User Management
Environment
Site Configuration
Authentication
Plugins
Integrations
Compliance
Experimental

The new roles can have the following levels of access to these sections (and in some instances to some of their subsections) - none, read, write, where:
none - the section is not displayed to the User
read - the section is displayed but all of its components are disabled, with exceptions given by the type of component (for example, web links and search boxes are not disabled) and by the permissions on the sub-sections - if the current user’s role has WRITE permissions on a subsection, it is not disabled. In some cases the page needed to access the main functionality is not disabled but the landing page components are - example: Edit Scheme is enabled, but the permission(s) tree shown in the next page is disabled.
write - the section (and its subsections) are fully accessible

Junior Admin

About - none
Reporting - read + write
User Management read+write (with the exception of not being able to reset other admin passwords)
Environment - read + write
Site Configuration - read + write
Authentication - read+write
Plugins - read+write
Integrations read+write
Compliance - none
Experimental - none

Console Viewer

About - none
Reporting - read
User Management -read
Environment - read
Site Configuration - read
Authentication - read
Plugins - read
Integrations read
Compliance - read
Experimental - read

User Manager

About - none
Reporting - none
User Management - read+write (with the exception of not being able to reset other admin passwords)
Site Configuration - none
Authentication - read
Plugins - none
Integrations - none
Compliance - none
Experimental - none

Config.json

The config.json file stores the full set of settings in the system settings - they roughly map to the same System Console sections/sub-sections, but are a superset of the settings surfaced by these sections/subsections.

API methods

There are mainly two categories of API calls : get and create, patch and update. The get calls are gated by the READ permissions and the create, patch and update are gated by the WRITE permissions.

Permissions

To implement the requirements detailed above we will be define the following new permission sets:

System Console overall access permissions

Currently, 1) access to the System Console, 2) managing the settings and invoking the functionality in the System Console, 3) managing the settings in the config.json and 4) gating the API calls - all these actions are being gated using the MANAGE_SYSTEM permission assigned only to the SystemAdmin role (with some exceptions). Since we need to give access to the System Console to the new roles and we also need read-only access to the System Console, we decided to create a new set of permissions that give a more granular access to the System Console, config.json and related API methods.

Note: MANAGE_SYSTEM is a System/GlobalAdmin role permission only. It is used to allow the SysAdmins to perform actions that are unique to their role - for example, to set permissions on the other admins roles (by design the newly introduced admin roles cannot change the permissions of their peers, only the System Admin can).

System Console per-section/sub-section permissions

Since we need to have read-only or write access to specific sections of the System Console , we will define a new set of READ + WRITE permissions for each of the ten main sections, as well as to some of the sub-sections that some of the new roles need special access.

There is a set of permissions that are used to gate specific tasks in the API and not covered by the MANAGE_SYSTEM permission, like PERMISSION_MANAGE_JOBS, PERMISSION_LIST_PRIVATE_TEAMS PERMISSION_JOIN_PRIVATE_TEAMS, PERMISSION_MANAGE_TEAM, etc.. These will be assigned to the new roles, depending on their specific requirements.
Note that not all of them are system level permissions.

Final set of permissions

Finally, all these permission will be assigned to the existing roles and new roles as follows:
System Admin - add all the new section-specific roles (see above) to the existing set of permissions.

Console Viewer:

Junior Admin:

User Manager:

Note: For User Manager role above, for the “User Management” section we could have had only the PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT and PERMISSION_WRITE_SYSCONSOLE_USERMANAGEMENT permissions. The reason we have more permissions mapped to subsections is that we project to have variants of this role that will have some of their subsections WRITE permissions removed.

Config.json mappings to permissions

Since the newly-added permissions are by definition linked to the System Console sections, we need to map them to the config.json settings. To do that, we have reviewed the existing System Console settings and mapped them to the corresponding config.json fields:

a snippet from the sectionToPermission struct:

Note: there are settings present in the config.json that are not settable through the System Console. These settings are not captured in the sectionToPermission table and therefore are only gated at the higher level by the READ/WRITE_SETTINGS permissions.

Resource permission computation algorithms

The goal is to maintain parity between the set of permission needed to gate a System Console section/sub-section and the equivalent set needed to gate the corresponding set of config.json settings + API calls.

Access to a section/subsection of the System Console

First, the user needs to be in a role that gives them access to the System Console from the chat-facing side (READ_SETTINGS). Then, depending on the role, the user can have read-only access to the sections (no WRITE_SETTINGS) or can have WRITE_SETTINGS but with some exceptions (basically breaking the permissions inheritance from the parent section).

The rules are as follows:

1. if the current user's system role does not have READ or WRITE permission on the resource, the section is hidden for the user. Example: User Manager does not have PERMISSION_READ_SYSCONSOLE_PLUGINS or PERMISSION_WRITE_SYSCONSOLE_PLUGINS so the Plugins section is hidden from view for a user in a User Manager role

2. if the current user's system role only has READ permission on the resource, the resource is disabled. Example: User Manager has PERMISSION_READ_SYSCONSOLE_AUTHENTICATION so the Authentication section is disabled for a user.

3. if the current user's system role has a WRITE permission on a subsection, then no matter if he has READ or WRITE permission on the parent section, the resulting permission on the subsection is WRITE, basically, the WRITE on the subsection broke the permissions inheritance from the parent section.
   Example: User Manager has PERMISSION_WRITE_SYSCONSOLE_USERMANAGEMENT_USERS on the Users sub-section but also PERMISSION_READ_SYSCONSOLE_USERMANAGEMENT on the entire section, the resulting permission is WRITE on the sub-section.

4. if the current user's system role has a READ permission on a subsection, then no matter if he has READ or WRITE permission on the parent section, the resulting permission on the subsection is READ, basically, the READ on the subsection broke the permissions inheritance from the parent section (if not, by default, the subsection would’ve had the permission of the parent section).

Access to a setting in the config.json

Similar to the System Console, a user will need to be in a role that has the global READ_SETTINGS permission to fetch a setting and WRITE_SETTINGS to patch/update a setting. Beyond that, if the user only has READ access to a section setting, we are restricting update access to that setting. For example, if User Manager would have PERMISSION_READ_SYSCONSOLE_AUTHENTICATION only, the user in this role will not be able to update the config.json fields mapped to the Authentication settings (see table above).

Access to the various API methods

Most API calls that were previously gated by the MANAGE_SYSTEM permission are now gated by the READ_* permissions for the get() calls and WRITE_* permission for the create, patch and update calls.
If we need to have more granular access to an API method that corresponds to the functionality of a sub-section in the System Console (like in the User Manager case), we will gate those calls on a case by case (a single panel functionality in the System Console section/subsection can map to one or more API methods calls), using the system and non-system-scoped permission already assigned to the SystemAdmin for these operations.

Permissions

See changes detailed above

Schema

No schema changes

REST API

The following API methods will have their gating functionality changes, as follows:

Performance

No performance degradation expected.

Plugins

CREDITS

Thanks to