fine grained access #208
fine grained access #208
Conversation
|
In the internal authorization, an admin user can assign roles using a multi-select input and can also remove roles as needed. These roles are then saved to the repository. |
palagdan
force-pushed
the
202-fine-grained
branch
from
7b2e15d
to
c94b109
Compare
src/components/user/User.jsx
Outdated
| @@ -4,15 +4,16 @@ import withI18n from "../../i18n/withI18n"; | |||
| import { injectIntl } from "react-intl"; | |||
| import HorizontalInput from "../HorizontalInput"; | |||
| import UserValidator from "../../validation/UserValidator"; | |||
| import { ACTION_STATUS, ROLE } from "../../constants/DefaultConstants"; | |||
| import { ACTION_STATUS, ROLE, ROLE_TYPE } from "../../constants/DefaultConstants"; | |||
There was a problem hiding this comment.
it is a mapper between roles and types
| }; | ||
|
|
||
| export const TYPE_ROLE = { |
There was a problem hiding this comment.
Do we really need to duplicate strings from ROLE?
There was a problem hiding this comment.
can we use convention instead? see below
There was a problem hiding this comment.
There may be an issue because some roles, such as admin and doctor, do not have the 'rm' prefix, making it difficult to differentiate them. Also there is a problem if we want to display roles in readable form such as "Publish Records" etc.
| export const DELETE_ALL_RECORDS_TYPE = "http://onto.fel.cvut.cz/ontologies/record-manager/delete-all-records"; | ||
| export const EDIT_ALL_RECORDS_TYPE = "http://onto.fel.cvut.cz/ontologies/record-manager/edit-all-records"; | ||
| export const VIEW_ALL_RECORDS_TYPE = "http://onto.fel.cvut.cz/ontologies/record-manager/view-all-records"; | ||
| export const DELETE_ORGANIZATION_RECORDS_TYPE = |
There was a problem hiding this comment.
I suggest to infer local name from url by convention:
rm_ <--- 'http://onto.fel.cvut.cz/ontologies/record-manager/'
view_all_records <--- view-all-records
convention is that _ is used instead -
There was a problem hiding this comment.
I initially chose the (-) as the divider because I noticed in mode.ttl that other resources and properties use it, such as:
### http://onto.fel.cvut.cz/ontologies/record-manager/has-last-editor
rm:has-last-editor rdf:type owl:ObjectProperty ;
rdfs:subPropertyOf rm:relates-to .
### http://onto.fel.cvut.cz/ontologies/record-manager/has-member
rm:has-member rdf:type owl:ObjectProperty ;
rdfs:subPropertyOf rm:relates-to ;
owl:inverseOf rm:is-member-of .
### http://onto.fel.cvut.cz/ontologies/record-manager/has-owner
rm:has-owner rdf:type owl:ObjectProperty ;
rdfs:subPropertyOf rm:relates-to .However, I will change it to _.
src/constants/Vocabulary.js
Outdated
| @@ -8,3 +8,17 @@ export const RDFS_COMMENT = "http://www.w3.org/2000/01/rdf-schema#comment"; | |||
| export const ADMIN_TYPE = "http://onto.fel.cvut.cz/ontologies/record-manager/administrator"; | |||
| export const DOCTOR_TYPE = "http://onto.fel.cvut.cz/ontologies/record-manager/doctor"; | |||
| export const IMPERSONATOR_TYPE = "http://onto.fel.cvut.cz/ontologies/record-manager/impersonator"; | |||
| export const COMPLETE_RECORDS_TYPE = "http://onto.fel.cvut.cz/ontologies/record-manager/record-complete"; | |||
There was a problem hiding this comment.
inconsistent with reject_records ---> complete-records
palagdan
force-pushed
the
202-fine-grained
branch
from
ecd0d6d
to
4be2f47
Compare
|
@blcham The admin can choose the roles for users if he have role EDIT_USER. The group input currently does not function because we need to discuss how it should be implemented. It might be better to disable the Roles input and assign roles based on the chosen group. The next point for discussion is how Keycloak will retrieve information about roles. Currently, Keycloak only gets information about roles for the current user, which makes it impossible to display accurate information about other users. I think it would be beneficial to configure the Keycloak plugin to also save this information. |
palagdan
force-pushed
the
202-fine-grained
branch
from
4be2f47
to
62d2b09
Compare
|
we do not want to assign roles, but role groups !! --- as we discussed we want to keep label "role" in RM-UI but assign there ONE role group ... but as i said if it is not changeable or even not visible there i fo not care that much -- it is not that important, we have keycloak for that. |
|
@blcham In Keycloak authorization, I recommend not displaying the group role, as doing so would require storing it in a triple (via the plugin change). So we will have these group roles if undestand correctly: [OPERATOR_ADMIN]
[OPERATOR_USER]
[SUPPLIER_ADMIN]
[SUPPIER]
[NON-ANONYMOUS QUESTIONARE]
|
|
There is now a "Role Group" input that automatically assigns a roles to the user based on a group. I've left disabled roles input because there’s currently no other way to see which roles are assigned to the user, similar to how it's displayed in Keycloak. I can remove this if it’s not necessary for internal authorization. In Keycloak, there is no "Role Group" or "Roles" option because, as mentioned before, this information should be stored in triples to show valid information. As you said, it’s not necessary for keycloak profile, as all the relevant information is already in Keycloak. Additionally, I’m not sure if we want to retrieve the role group from the token, as you previously mentioned that all the logic is based on roles, and the groups are only for demonstration purposes. |
| @@ -81,8 +82,45 @@ export const ACTION_STATUS = { | |||
|
|
|||
| export const ROLE = { | |||
| ADMIN: "Admin", | |||
| DOCTOR: "Regular User", | |||
| DOCTOR: "Doctor", | |||
There was a problem hiding this comment.
add comment that this is deprecated and will be replaced
Resolves partially #202
Resolves partially #158