Skip to content

Latest commit

 

History

History
43 lines (32 loc) · 3.16 KB

roles.md

File metadata and controls

43 lines (32 loc) · 3.16 KB
Raw

Django admin user roles

For our MVP, we create and maintain 2 admin roles: Full access and CISA analyst. Both have the role staff. Permissions on these roles are set through groups: full_access_group and cisa_analysts_group. These groups and the methods to create them are defined in our user_group model and run in a migration.

For more details, refer to the user group model.

Adding a user as analyst or granting full access via django-admin (/admin)

If a new team member has joined, then they will need to be granted analyst (cisa_analysts_group) or full access (full_access_group) permissions in order to view the admin pages. These admin pages are the ones found at manage.get.gov/admin. To do this, do the following:

  1. The user in question will need to have a login.gov account and login into our system, this will create a Users table entry with their email address and name.
  2. On that Users table note that the GROUP column should be blank for them as they have no special permissions yet.
  3. Click on their username, then scroll down to the User Permissions section.
  4. Under User Permissions, see the Groups table which has a column for Available groups and Chosen groups. Select the permission you want from the Available groups column and click the right arrow to move it to the Chosen groups. Note, if you want this user to be an analyst select cisa_analysts_group, otherwise select the full_access_group.
  5. (Optional) If the user needs access to django admin (such as an analyst), then you will also need to make sure "Staff Status" is checked. This can be found in the same User Permissions section right below the checkbox for Active.
  6. Click Save to apply all changes.

Removing a user group permission via django-admin (/admin)

If an employee was given the wrong permissions or has had a change in roles that subsequently requires a permission change, then their permissions should be updated in django-admin. Much like in the previous section you can accomplish this by doing the following:

  1. Go to the Users table an select the username for the user in question
  2. Scroll down to the User Permissions section and find the Groups table which has a column for Available groups and Chosen groups.
  3. In this table, select the permission you want to remove from the Chosen groups and then click the left facing arrow to move the permission to Available groups.
  4. Depending on the scenario you may now need to add the opposite permission group to the Chosen groups section, please see the section above for instructions on how to do that.
  5. If the user should no longer see the admin page, you must ensure that under User Permissions, Staff status is NOT checked.
  6. Click Save to apply all changes.

Editing group permissions through code

We can edit and deploy new group permissions by:

  1. Editing user_group then:
  2. Duplicating migration 0036_create_groups_01 and running migrations (append the name with a version number to help django detect the migration eg 0037_create_groups_02)
  3. Making sure to update the dependency on the new migration with the previous migration.