Roles & Permissions

[kulmann]

Things to do for roles & permissions:

• Concept session
• protobuf spec for roles and permissions (intertwined with settings bundles)
• grpc services for... Prototyping for roles & permissions product#85
  • registering roles and permissions (along with settings bundles)
  • getting and setting roles of a user
• when getting settings bundles for a user, filter out settings that are available for the user

[kulmann]

For defining permissions we aim to follow microsoft graph with their Resource.Operation.Constraint style. Examples:

resources:

• all files
• file with id xy
• all shares
• pending shares
• share with id xy
• all settings of a bundle
• setting with identifier xy

operations (not all of them for certain resources):

• create
• read
• update
• delete

constraints:

• user "me"
• all users
• all users of a certain group
• all users of a certain space

Important remark: We will save actual file permissions in ACLs. The permissions serve as blueprint that get translated into ACLs then.

cc @felixboehm @pmaier1 @micbar

[kulmann]

We decided to investigate persisting roles as SettingsBundles and to introduce a new setting type PermissionSetting. Each setting will potentially be tied to a resource or a list of resources (file, user, ...). This gives us the flexibility to compose a role as a list of permissions and at the same time provide meta data for the role in additional settings (e.g. StringSetting).

[phil-davis]

@kulmann this is an old issue that was transferred from the archived ocis-settings repo a few weeks ago.
Please close if no longer relevant.