Support granting of permissions for users in the context of organizational entities #1250
Assignees
Comments
|
Since this is going to create relationships with what we currently call |
|
I'm going to be so bold as to add a These roles seem straightforward and universal. It may be that we want |
slifty
added a commit
that referenced
this issue
Oct 28, 2024
Users in our system can be associated with the three types of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
|
Some decisions we made which I want to lock in here: We want endpoints that look like this... -- PUT /users/{userKeycloakUserId}/roles/funders/{shortCode}/accessType/administrator => {} |
slifty
added a commit
that referenced
this issue
Oct 28, 2024
Users in our system can be associated with the three types of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Oct 28, 2024
Users in our system can be associated with the three types of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Oct 30, 2024
Users in our system can be associated with the three types of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 6, 2024
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 6, 2024
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 7, 2024
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 7, 2024
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 7, 2024
Users in our system can be given permission to three kinds of organization in the PDC (changemakers, funders, and data providers). These associations will allow them access to perform various actions in the context of those organizations. For instance, reading data, writing data, or managing other user associations. This list of abilities may change in future. We explored the concept of `user_roles` with foreign keys to different organization types (similar to the sources table) but decided to have three separate tables because they are slightly distinct concepts. For instance, there will probably be certain access types that only apply to certain types of organization in future. Another design decision was to have the permissions in terms of granted access type rather than higher level role. For instance, instead of roles like "administrator" and "editor" we have action oriented roles like "read" and "manage". This provides more granularity and is also more explicit about what a given role / access type actually allows. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 12, 2024
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
|
I think the permissions are good, but to the point of the original post here, I think we need to use Keycloak 26's Organization feature to group people together into organizations, letting those groups come through in the JWT. |
slifty
added a commit
that referenced
this issue
Nov 13, 2024
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 13, 2024
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 13, 2024
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 13, 2024
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 13, 2024
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 14, 2024
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 14, 2024
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 14, 2024
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
slifty
changed the title
slifty
added a commit
that referenced
this issue
Nov 21, 2024
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 21, 2024
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 21, 2024
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 21, 2024
This endpoint allows the creation of new user changemaker permissions. It is also the first endpoint to actually require a particular changemaker permission in order to access the functionality. Issue #1250 Support associations between users and organizational entities
slifty
added a commit
that referenced
this issue
Nov 21, 2024
This endpoint makes it possible for a user with appropriate permissions to remove a changemaker permission for a given user. Issue #1250 Support associations between users and organizational entities
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We want to support more granular permissions (per #1093) and the first step to being able to do this is to support relationships between users and our three types of organizational entity (Funder, ChangeMaker, and DataProvider).
For this issue those associations won't actually impact permissions in terms of viewing data yet.
This issue will include logic that allows users associated with a given organization to be able to add other users to their organization. As mentioned in #1093 we may eventually want to support the concept of an admin user, but for MVP we can stick with a higher trust model.
The text was updated successfully, but these errors were encountered: