Skip to content

Allow exclusions for finer grained control#5569

Closed
WilliamBZA wants to merge 1 commit into
authfrom
add-exclusions
Closed

Allow exclusions for finer grained control#5569
WilliamBZA wants to merge 1 commit into
authfrom
add-exclusions

Conversation

@WilliamBZA

Copy link
Copy Markdown
Member

No description provided.

[Writer] =
[
"*:*:*",
"-error:licensing:*",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a fan of denials. This means that when a user has both Writer+Admin roles that they now cannot access most configuration related views as denials must always be prioritized over allows.

ramonsmits added a commit that referenced this pull request Jul 2, 2026
* ♻️ Replace wildcard role-permission expansion with explicit lists

Roles are explicit permission-constant lists built from four additive
groups: Read (16 views), ReadConfiguration (licensing/notifications/
redirects/throughput views), Operate (message triage, housekeeping
deletes, endpoints/connections manage), Configure (licensing/
notifications/redirects/throughput manage + test). Reader = Read +
ReadConfiguration, Writer = Read + Operate, Admin = everything.
All pattern parsing/expansion machinery is removed.

The sets match the include/exclude patterns of #5569 exactly: writer
holds endpoints:manage and connections:manage but has no access to the
licensing/notifications/redirects/throughput areas (not even :view),
so reader is intentionally not a subset of writer.

Guard tests break the build when a new permission constant is not
assigned to a role, enforce reader/writer ⊂ admin, and pin writer's
configuration-area exclusions.

* minimize diff

* Remove unneeded tests that test which permissions certain role have.
@ramonsmits

Copy link
Copy Markdown
Member

@ramonsmits ramonsmits closed this Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants