Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support granting of permissions for users in the context of organizational entities #1250

Open
slifty opened this issue Oct 14, 2024 · 4 comments
Assignees

Comments

@slifty
Copy link
Member

slifty commented Oct 14, 2024

We want to support more granular permissions (per #1093) and the first step to being able to do this is to support relationships between users and our three types of organizational entity (Funder, ChangeMaker, and DataProvider).

For this issue those associations won't actually impact permissions in terms of viewing data yet.

This issue will include logic that allows users associated with a given organization to be able to add other users to their organization. As mentioned in #1093 we may eventually want to support the concept of an admin user, but for MVP we can stick with a higher trust model.

@slifty slifty self-assigned this Oct 14, 2024
@slifty slifty added this to Phase 5 Oct 14, 2024
@slifty slifty moved this to In Progress in Phase 5 Oct 14, 2024
@slifty slifty moved this from In Progress to Todo in Phase 5 Oct 14, 2024
@slifty
Copy link
Member Author

slifty commented Oct 14, 2024

Since this is going to create relationships with what we currently call Organization I'd like to knock out #1117 first (otherwise we'll just be immediately changing some of what we write for this issue)

@slifty slifty moved this from Todo to In Progress in Phase 5 Oct 14, 2024
@slifty
Copy link
Member Author

slifty commented Oct 14, 2024

I'm going to be so bold as to add a user_role column to the relationship table, because it is pretty simple to implement now.

CREATE TYPE user_role AS ENUM (
  'administrator',
  'editor',
  'viewer',
)

These roles seem straightforward and universal. It may be that we want owner as well but I'm also comfortable adding that later if the use case becomes a priority.

slifty added a commit that referenced this issue Oct 28, 2024
Users in our system can be associated with the three types of
organization in the PDC (changemakers, funders, and data providers).
These associations will allow them access to perform various actions in
the context of those organizations.

For instance, reading data, writing data, or managing other user
associations. This list of abilities may change in future.

We explored the concept of `user_roles` with foreign keys to different
organization types (similar to the sources table) but decided to have
three separate tables because they are slightly distinct concepts.  For
instance, there will probably be certain access types that only apply to
certain types of organization in future.

Another design decision was to have the permissions in terms of granted
access type rather than higher level role. For instance, instead of
roles like "administrator" and "editor" we have action oriented roles
like "read" and "manage".

This provides more granularity and is also more explicit about what
a given role / access type actually allows.

Issue #1250 Support associations between users and organizational entities
@slifty
Copy link
Member Author

slifty commented Oct 28, 2024

Some decisions we made which I want to lock in here:

We want endpoints that look like this...

-- PUT /users/{userKeycloakUserId}/roles/funders/{shortCode}/accessType/administrator => {}
-- GET /users/{userKeycloakUserId}/roles/funders/{shortCode}/accessType/administrator
-- DELETE /users/{userKeycloakUserId}/roles/funders/{shortCode}/accessType/administrator

slifty added a commit that referenced this issue Oct 28, 2024
Users in our system can be associated with the three types of
organization in the PDC (changemakers, funders, and data providers).
These associations will allow them access to perform various actions in
the context of those organizations.

For instance, reading data, writing data, or managing other user
associations. This list of abilities may change in future.

We explored the concept of `user_roles` with foreign keys to different
organization types (similar to the sources table) but decided to have
three separate tables because they are slightly distinct concepts.  For
instance, there will probably be certain access types that only apply to
certain types of organization in future.

Another design decision was to have the permissions in terms of granted
access type rather than higher level role. For instance, instead of
roles like "administrator" and "editor" we have action oriented roles
like "read" and "manage".

This provides more granularity and is also more explicit about what
a given role / access type actually allows.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Oct 28, 2024
Users in our system can be associated with the three types of
organization in the PDC (changemakers, funders, and data providers).
These associations will allow them access to perform various actions in
the context of those organizations.

For instance, reading data, writing data, or managing other user
associations. This list of abilities may change in future.

We explored the concept of `user_roles` with foreign keys to different
organization types (similar to the sources table) but decided to have
three separate tables because they are slightly distinct concepts.  For
instance, there will probably be certain access types that only apply to
certain types of organization in future.

Another design decision was to have the permissions in terms of granted
access type rather than higher level role. For instance, instead of
roles like "administrator" and "editor" we have action oriented roles
like "read" and "manage".

This provides more granularity and is also more explicit about what
a given role / access type actually allows.

Issue #1250 Support associations between users and organizational entities
@slifty slifty moved this from In Progress to QA in Phase 5 Oct 29, 2024
@slifty slifty moved this from QA to In Progress in Phase 5 Oct 29, 2024
slifty added a commit that referenced this issue Oct 30, 2024
Users in our system can be associated with the three types of
organization in the PDC (changemakers, funders, and data providers).
These associations will allow them access to perform various actions in
the context of those organizations.

For instance, reading data, writing data, or managing other user
associations. This list of abilities may change in future.

We explored the concept of `user_roles` with foreign keys to different
organization types (similar to the sources table) but decided to have
three separate tables because they are slightly distinct concepts.  For
instance, there will probably be certain access types that only apply to
certain types of organization in future.

Another design decision was to have the permissions in terms of granted
access type rather than higher level role. For instance, instead of
roles like "administrator" and "editor" we have action oriented roles
like "read" and "manage".

This provides more granularity and is also more explicit about what
a given role / access type actually allows.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 6, 2024
Users in our system can be given permission to three kinds of
organization in the PDC (changemakers, funders, and data providers).
These associations will allow them access to perform various actions in
the context of those organizations.

For instance, reading data, writing data, or managing other user
associations. This list of abilities may change in future.

We explored the concept of `user_roles` with foreign keys to different
organization types (similar to the sources table) but decided to have
three separate tables because they are slightly distinct concepts.  For
instance, there will probably be certain access types that only apply to
certain types of organization in future.

Another design decision was to have the permissions in terms of granted
access type rather than higher level role. For instance, instead of
roles like "administrator" and "editor" we have action oriented roles
like "read" and "manage".

This provides more granularity and is also more explicit about what
a given role / access type actually allows.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 6, 2024
Users in our system can be given permission to three kinds of
organization in the PDC (changemakers, funders, and data providers).
These associations will allow them access to perform various actions in
the context of those organizations.

For instance, reading data, writing data, or managing other user
associations. This list of abilities may change in future.

We explored the concept of `user_roles` with foreign keys to different
organization types (similar to the sources table) but decided to have
three separate tables because they are slightly distinct concepts.  For
instance, there will probably be certain access types that only apply to
certain types of organization in future.

Another design decision was to have the permissions in terms of granted
access type rather than higher level role. For instance, instead of
roles like "administrator" and "editor" we have action oriented roles
like "read" and "manage".

This provides more granularity and is also more explicit about what
a given role / access type actually allows.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 7, 2024
Users in our system can be given permission to three kinds of
organization in the PDC (changemakers, funders, and data providers).
These associations will allow them access to perform various actions in
the context of those organizations.

For instance, reading data, writing data, or managing other user
associations. This list of abilities may change in future.

We explored the concept of `user_roles` with foreign keys to different
organization types (similar to the sources table) but decided to have
three separate tables because they are slightly distinct concepts.  For
instance, there will probably be certain access types that only apply to
certain types of organization in future.

Another design decision was to have the permissions in terms of granted
access type rather than higher level role. For instance, instead of
roles like "administrator" and "editor" we have action oriented roles
like "read" and "manage".

This provides more granularity and is also more explicit about what
a given role / access type actually allows.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 7, 2024
Users in our system can be given permission to three kinds of
organization in the PDC (changemakers, funders, and data providers).
These associations will allow them access to perform various actions in
the context of those organizations.

For instance, reading data, writing data, or managing other user
associations. This list of abilities may change in future.

We explored the concept of `user_roles` with foreign keys to different
organization types (similar to the sources table) but decided to have
three separate tables because they are slightly distinct concepts.  For
instance, there will probably be certain access types that only apply to
certain types of organization in future.

Another design decision was to have the permissions in terms of granted
access type rather than higher level role. For instance, instead of
roles like "administrator" and "editor" we have action oriented roles
like "read" and "manage".

This provides more granularity and is also more explicit about what
a given role / access type actually allows.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 7, 2024
Users in our system can be given permission to three kinds of
organization in the PDC (changemakers, funders, and data providers).
These associations will allow them access to perform various actions in
the context of those organizations.

For instance, reading data, writing data, or managing other user
associations. This list of abilities may change in future.

We explored the concept of `user_roles` with foreign keys to different
organization types (similar to the sources table) but decided to have
three separate tables because they are slightly distinct concepts.  For
instance, there will probably be certain access types that only apply to
certain types of organization in future.

Another design decision was to have the permissions in terms of granted
access type rather than higher level role. For instance, instead of
roles like "administrator" and "editor" we have action oriented roles
like "read" and "manage".

This provides more granularity and is also more explicit about what
a given role / access type actually allows.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 12, 2024
This endpoint allows the creation of new user changemaker permissions.
It is also the first endpoint to actually require a particular
changemaker permission in order to access the functionality.

Issue #1250 Support associations between users and organizational entities
@bickelj
Copy link
Contributor

bickelj commented Nov 12, 2024

I think the permissions are good, but to the point of the original post here, I think we need to use Keycloak 26's Organization feature to group people together into organizations, letting those groups come through in the JWT.

slifty added a commit that referenced this issue Nov 13, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 13, 2024
This endpoint allows the creation of new user changemaker permissions.
It is also the first endpoint to actually require a particular
changemaker permission in order to access the functionality.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 13, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 13, 2024
This endpoint allows the creation of new user changemaker permissions.
It is also the first endpoint to actually require a particular
changemaker permission in order to access the functionality.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 13, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 14, 2024
This endpoint allows the creation of new user changemaker permissions.
It is also the first endpoint to actually require a particular
changemaker permission in order to access the functionality.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 14, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 14, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
@slifty slifty changed the title Support associations between users and organizational entities Support granting of permissions for users in the context of organizational entities Nov 19, 2024
slifty added a commit that referenced this issue Nov 21, 2024
This endpoint allows the creation of new user changemaker permissions.
It is also the first endpoint to actually require a particular
changemaker permission in order to access the functionality.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 21, 2024
This endpoint allows the creation of new user changemaker permissions.
It is also the first endpoint to actually require a particular
changemaker permission in order to access the functionality.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 21, 2024
This endpoint allows the creation of new user changemaker permissions.
It is also the first endpoint to actually require a particular
changemaker permission in order to access the functionality.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 21, 2024
This endpoint allows the creation of new user changemaker permissions.
It is also the first endpoint to actually require a particular
changemaker permission in order to access the functionality.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Nov 21, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Dec 2, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Dec 2, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Dec 2, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Dec 2, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
slifty added a commit that referenced this issue Dec 2, 2024
This endpoint makes it possible for a user with appropriate permissions
to remove a changemaker permission for a given user.

Issue #1250 Support associations between users and organizational entities
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: In Progress
Development

No branches or pull requests

2 participants