Major Description
I've been testing the UI in a multi-tenancy scenario, where the user has access to a single scope. In order to use the Query Workbench and Document UI in a read-only fashion, we need to give the user the following roles:
- Query Select on the scope (to be able to use the UI)
- Data Reader on the scope (so that the document REST API works)
- Query Manage Index on the scope (to see whether indexes exist or not)
- Query System Catalog (to show the buckets/scopes in the sidebar)
- Execute Scope Functions on the scope, to be able to use UDFs
- Execute Scope External Functions on the scope, to be able to use javascript UDFs
If we want the user to also be able to change data, they would also need:
- Data Writer on the scope
- Query Update, Query Insert, Query Delete on the scope
- Manage Scope Functions and Manage External Scope Functions for UDFs
If we want a user to have read/write access to a scope, we need to give them 12 separate roles. It would be really nice if we had some higher level roles, such as:
- UI reader - everything in the first 6 roles to allow UI read-access to the scope.
- UI writer - everything in all 12 roles to allow UI read/write access to the scope.