Rework admin multitenancy role #14

README.md

@@ -54,6 +54,21 @@ system entities.
 # Predefined Roles
 
 - **tenant-admin-role** - allows user to configure tenants.
+
+**Note**. The role does not allow manage users if you want you should create a role that  allows that. For example
+```java
+@ResourceRole(name = "Manage user access", code = ManageUserAccessRole.CODE)
+public interface ManageUserAccessRole {
+
+    String CODE = "manage-user-access";
+
+    @EntityPolicy(entityClass = User.class, actions = {EntityPolicyAction.ALL})
+    @EntityAttributePolicy(entityClass = User.class, attributes = "*", action = EntityAttributePolicyAction.MODIFY)
+    @ScreenPolicy(screenIds = {"mtensmp_User.browse", "mtensmp_User.edit"})
+    @MenuPolicy(menuIds = {"mtensmp_User.browse"})
+    void createUserAccess();
+}
+```
 
 # Managing Tenants
 

multitenancy-ui/src/main/java/io/jmix/multitenancyui/impl/MultitenancyUiSupportImpl.java

@@ -22,7 +22,6 @@
 import io.jmix.multitenancy.entity.Tenant;
 import io.jmix.multitenancyui.MultitenancyUiSupport;
 import io.jmix.ui.navigation.UrlRouting;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
 import java.util.List;
@@ -34,13 +33,17 @@
  */
 @Component("mten_MultitenancyUiSupport")
 public class MultitenancyUiSupportImpl implements MultitenancyUiSupport {
-    @Autowired
-    private MultitenancyProperties multitenancyProperties;
-    @Autowired
-    private DataManager dataManager;
+    private final MultitenancyProperties multitenancyProperties;
+    private final DataManager dataManager;
 
     private static final String TENANT_USERNAME_SEPARATOR = "|";
 
+    public MultitenancyUiSupportImpl(MultitenancyProperties multitenancyProperties,
+                                     DataManager dataManager) {
+        this.multitenancyProperties = multitenancyProperties;
+        this.dataManager = dataManager;
+    }
+
     @Override
     public String getUsernameByUrl(String username, UrlRouting urlRouting) {
         if (Strings.isNullOrEmpty(multitenancyProperties.getTenantIdUrlParamName())) {

multitenancy/src/main/java/io/jmix/multitenancy/security/role/MultitenancyAdminRole.java

@@ -22,13 +22,11 @@
 import io.jmix.security.role.annotation.EntityAttributePolicy;
 import io.jmix.security.role.annotation.EntityPolicy;
 import io.jmix.security.role.annotation.ResourceRole;
-import io.jmix.securitydata.entity.ResourcePolicyEntity;
-import io.jmix.securitydata.entity.ResourceRoleEntity;
-import io.jmix.securitydata.entity.RowLevelPolicyEntity;
-import io.jmix.securitydata.entity.RowLevelRoleEntity;
+import io.jmix.securitydata.entity.*;
 import io.jmix.securityui.model.*;
 import io.jmix.securityui.role.annotation.MenuPolicy;
 import io.jmix.securityui.role.annotation.ScreenPolicy;
+import io.jmix.securityui.screen.resourcepolicy.AttributeResourceModel;
 
 @ResourceRole(name = "Multitenancy: administration", code = MultitenancyAdminRole.CODE)
 public interface MultitenancyAdminRole {
@@ -45,6 +43,8 @@ public interface MultitenancyAdminRole {
     @EntityPolicy(entityClass = ResourceRoleModel.class, actions = {EntityPolicyAction.ALL})
     @EntityPolicy(entityClass = RowLevelRoleModel.class, actions = {EntityPolicyAction.ALL})
     @EntityPolicy(entityClass = RowLevelPolicyModel.class, actions = {EntityPolicyAction.ALL})
+    @EntityPolicy(entityClass = AttributeResourceModel.class, actions = {EntityPolicyAction.ALL})
+    @EntityPolicy(entityClass = RoleAssignmentEntity.class, actions = {EntityPolicyAction.ALL})
     @EntityAttributePolicy(entityClass = Tenant.class, attributes = "*", action = EntityAttributePolicyAction.VIEW)
     @EntityAttributePolicy(entityClass = BaseRoleModel.class, attributes = "*", action = EntityAttributePolicyAction.MODIFY)
     @EntityAttributePolicy(entityClass = ResourcePolicyEntity.class, attributes = "*", action = EntityAttributePolicyAction.MODIFY)
@@ -55,17 +55,29 @@ public interface MultitenancyAdminRole {
     @EntityAttributePolicy(entityClass = ResourceRoleModel.class, attributes = "*", action = EntityAttributePolicyAction.MODIFY)
     @EntityAttributePolicy(entityClass = RowLevelRoleModel.class, attributes = "*", action = EntityAttributePolicyAction.MODIFY)
     @EntityAttributePolicy(entityClass = RowLevelPolicyModel.class, attributes = "*", action = EntityAttributePolicyAction.MODIFY)
+    @EntityAttributePolicy(entityClass = AttributeResourceModel.class, attributes = "*", action = EntityAttributePolicyAction.MODIFY)
+    @EntityAttributePolicy(entityClass = RoleAssignmentEntity.class, attributes = "*", action = EntityAttributePolicyAction.MODIFY)
 
     @ScreenPolicy(screenIds = {
             "mten_Tenant.browse",
             "mten_Tenant.edit",
+            "sec_RoleAssignmentScreen",
             "sec_ResourceRoleModel.browse",
             "sec_ResourceRoleModel.edit",
             "sec_ResourceRoleModel.lookup",
             "sec_RowLevelRoleModel.browse",
             "sec_RowLevelRoleModel.edit",
             "sec_RowLevelRoleModel.lookup",
-            "sec_RowLevelPolicyModel.edit"
+            "sec_RowLevelPolicyModel.edit",
+            "sec_MenuResourcePolicyModel.create",
+            "sec_MenuResourcePolicyModel.edit",
+            "sec_ScreenResourcePolicyModel.create",
+            "sec_ScreenResourcePolicyModel.edit",
+            "sec_EntityResourcePolicyModel.create",
+            "sec_EntityResourcePolicyModel.edit",
+            "sec_EntityAttributeResourcePolicyModel.create",
+            "sec_EntityAttributeResourcePolicyModel.edit",
+            "sec_SpecificResourcePolicyModel.edit"
     })
     @MenuPolicy(menuIds = {
             "mten_Tenant.browse",