New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[management-api] Fine-grained rights management #180

Closed
lusoalex opened this Issue Jul 28, 2016 · 7 comments

Comments

Projects
None yet
4 participants
@lusoalex

lusoalex commented Jul 28, 2016

Hello,

In order to be smoother on user rights management, what do you think about managing Group API permissions instead of managing them one by one.

Here's some explanations :

APIs

Considering we have several APIs

API
Product catalog
Price & Stock
Order
Payment
Production
Transport
Turnover

API Grouping

I expect to group several API into groups

GROUP API
E-commerce Product Catalog
E-commerce Price & Stock
E-commerce Order
E-commerce Payment
Supply Order
Supply Production
Supply Transport
BI Product Catalog
BI Turnover

Role creations

Now i want to create a role which will be composed of permissions :

E-commerce API consumer role giving access to :

GROUP Scope Create View Edit Delete
E-commerce API no yes no no
E-commerce Members no no no no
E-commerce Dev Portal no no no no
E-commerce Analytics no no no no
E-commerce Api Key no no no no

E-commerce API admin role giving access to :

GROUP Scope Create View Edit Delete
E-commerce API yes yes yes yes
E-commerce Members yes yes yes yes
E-commerce Dev Portal yes yes yes yes
E-commerce Analytics yes yes yes yes
E-commerce Api Key yes yes yes yes
BI API no yes no no
BI Dev Portal no yes no no

Please note that if an API is public, it must be considered as viewable by everyone. So the view permission has sense only for private API

etc...

User role

Now we just need to give roles to our users

USERS ROLE
User A E-commerce API consumer role
User B E-commerce API consumer role
User B Supply API consumer role
User C Supply API admin role

etc...

@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Jul 28, 2016

Hi,

Create custom roles is definitely a good idea. The permissions system has been developed to allow that.

Another approach would be to manage access like Bitbucket :
you create groups :

  • Ecommerce Api consumers with user A and B
  • Supply API consumers with user B
  • Supply API admins with user C

You add the group Ecommerce Api consumers with role API consumer on each ECommerce APIs

This way, I think we could easily create a global API Admins , API consumers without having to group your API.

Wdyt ?

@lusoalex

This comment has been minimized.

lusoalex commented Jul 28, 2016

Hi,

I think that's a better way to manage it.
Look like linux user's groups.

We manage group of user and give roles to group.
It will be easier to manage, because closer to human organization.

So to resume :

  • We create groups of users (eg E-commerce API consumer)
  • An user can belong to several grousp (in case of permission conflicts, the higher level should be kept)
  • We give API permission to a group

That's it?

How do you expect to manage ADMIN Group?
I think each time a new API is created, it will be boring to add "admin role" on the new API.

Alex.

@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Jul 28, 2016

Perhaps we could have checkbox defaulton group, if checked, you choose a role and after that, this group with this role will be added every time you create a new API/Application ?

@lusoalex

This comment has been minimized.

lusoalex commented Jul 29, 2016

Hello,

Yes de default checkbox is needed to ease management of APIs.

I was playing with my Synology NAS, and i looked how rights were managed.
There's an online demo here : https://www.synology.com/fr-fr/dsm/live_demo

We can first create groups rights :
capture d ecran 2016-07-29 a 16 21 22

Note that there's several tabs to manage differents kind of rights.

Then you can create an user and set him one or more groups :
capture d ecran 2016-07-29 a 16 22 31

And finally, you can override some permissions to your user : (should not be often used)
capture d ecran 2016-07-29 a 16 22 44

Note that the user rights management screen are the same than the group...

Finally we can imagine the same thing, create a group "E-commerce" and having a tab :

  • To give create/edit/view/delete rights on APIs
  • To give create/edit/view/delete on some Applications
  • To give permissions on "deploy" button?
  • etc...

Wdyt?

@lusoalex

This comment has been minimized.

lusoalex commented Jul 29, 2016

A feature which is not available into this demo but well in my current NAS :
we can select an user and ask to see applicated rights. (Usefull when we have some doubts between group/user rights).

@NicolasGeraud

This comment has been minimized.

Member

NicolasGeraud commented Jul 29, 2016

Hum ...

This means manage permissions by usergroup ?

I think a usergroup must be associated with a role on each api (and a default role).
So we need

  • a screen where you could create usergroup (add user to a group) and define a default role for this group.
  • Another screen where you can create roles

And thats all. In the member section of api and application, you could search group and user, and override their default role.

@tcompiegne @brasseld ?

@lusoalex

This comment has been minimized.

lusoalex commented Jul 29, 2016

Hello,
Yes so in group screen you have a tab to select roles.
And that means another screen to manage role permissions.

@brasseld brasseld changed the title from Rights Management to [management-api] Fine-grained rights management Aug 23, 2016

@brasseld brasseld added this to the 1.0.0 milestone Sep 9, 2016

@NicolasGeraud NicolasGeraud self-assigned this Sep 11, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-repository-redis that referenced this issue Oct 15, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-repository that referenced this issue Oct 15, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-repository-mongodb that referenced this issue Oct 15, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 15, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 15, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 15, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 15, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 15, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-repository-mongodb that referenced this issue Oct 16, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 16, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 16, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 16, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 16, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 16, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 17, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 17, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 17, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 17, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 17, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 17, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 17, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-repository-redis that referenced this issue Oct 17, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-repository-redis that referenced this issue Oct 17, 2016

NicolasGeraud added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 18, 2016

tcompiegne added a commit to gravitee-io/gravitee-repository that referenced this issue Oct 18, 2016

tcompiegne added a commit to gravitee-io/gravitee-repository-redis that referenced this issue Oct 18, 2016

tcompiegne added a commit to gravitee-io/gravitee-repository-mongodb that referenced this issue Oct 18, 2016

tcompiegne added a commit to gravitee-io/gravitee-management-rest-api that referenced this issue Oct 18, 2016

tcompiegne added a commit to gravitee-io/gravitee-management-webui that referenced this issue Oct 18, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment