-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support granting of permissions for users in the context of organizational entities #1250
Comments
Since this is going to create relationships with what we currently call |
I'm going to be so bold as to add a
These roles seem straightforward and universal. It may be that we want |
Users in our system can be associated with the three types of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
Some decisions we made which I want to lock in here: We want endpoints that look like this... -- PUT /users/{userKeycloakUserId}/roles/funders/{shortCode}/accessType/administrator => {} |
Users in our system can be associated with the three types of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
Users in our system can be associated with the three types of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
Users in our system can be associated with the three types of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
I think the permissions are good, but to the point of the original post here, I think we need to use Keycloak 26's Organization feature to group people together into organizations, letting those groups come through in the JWT. |
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
We want to support more granular permissions (per #1093) and the first step to being able to do this is to support relationships between users and our three types of organizational entity (Funder, ChangeMaker, and DataProvider).
For this issue those associations won't actually impact permissions in terms of viewing data yet.
This issue will include logic that allows users associated with a given organization to be able to add other users to their organization. As mentioned in #1093 we may eventually want to support the concept of an admin user, but for MVP we can stick with a higher trust model.
The text was updated successfully, but these errors were encountered: