Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Users] Roles and permissions #76

Open
netsensei opened this issue Jan 17, 2019 · 0 comments
Open

[Users] Roles and permissions #76

netsensei opened this issue Jan 17, 2019 · 0 comments
Labels
temporarily on hold
Milestone
Version 1.1

Comments

@netsensei
Copy link
Contributor

This issue describes a model for basic roles and permissions in the Datahub.

Detailed description

Currently, there are three roles defined in the Datahub: SUPERADMIN, ADMIN and USER. It's not really clear how each role should be defined, or what their extent is.

This issue remodels that.

Context

This is a core part for the management of access to records in the Datahub.

Possible implementation

Key principles that govern permissions (what is and isn't possible in the Datahub)

  • A user can access either all the records, or no records. It should architecturally not be possible to shield only part of the API. Why? The Datahub is either "plumbing" that isn't directly accessible from the Web, or it is in which case it follows an "open access" policy. In the former case, fine grained control over what is shared with the outside world, should be implemented through external filters.
  • There is no need to group managers or consumers transversally. The value of grouping is defined by the need to attribute different permission levels to different groups of users. This need currently doesn't exist.

We can see a few roles emerge from these principles:

ANYONYMOUS

This is an anonymous, non-logged in visitor how browse through the UI. Depending on the level of security, an anonymous user may or may not have access to the API. An anonymous user not having access to the API will see "access denied" errors.

CONSUMER

Role: ROLE_CONSUMER
Label: "Consumer"

This is a logged-in user with an active sessions. Consumers can:

  • View their own profile
  • Edit their own profile
  • Manage their own OAuth applications (add or remove them)
  • Access a secured REST or OAI API with their OAuth credentials and see all the records.

Consumers can't:

  • Create, edit or delete new or other users
  • View profiles of other users.
  • Create, update or delete any records through the REST API

MANAGER

Role: ROLE_MANAGER
Label: "Manager"

This is a logged-in user with an active sessions. Managers can:

  • View their own profile
  • Edit their own profile
  • Manage their own OAuth applications (add or remove them)
  • Access a secured REST or OAI API with their OAuth credentials and see all the records.
  • Create, update or delete records they own through the REST API

Managers can't:

  • Create, edit or delete new or other users
  • View profiles of other users.

ADMINISTRATOR

Role: ROLE_ADMINISTRATOR
Label: "Administrator"

This is a logged-in user with an active sessions. Administrators can:

  • View their own profile
  • Edit their own profile
  • Manage their own OAuth applications (add or remove them)
  • Manage OAuth applications of other users (add or remove them)
  • Access a secured REST or OAI API with their OAuth credentials
  • Access a secured REST or OAI API with their OAuth credentials and see all the records.
  • Create, edit or delete new or all other users
  • View profiles of all users.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
temporarily on hold
Projects
None yet
Milestone
Version 1.1
Development

No branches or pull requests
2 participants
@netsensei @Sarahapze