RBAC: too many different roles needed for UI access to single scope

Description

I've been testing the UI in a multi-tenancy scenario, where the user has access to a single scope. In order to use the Query Workbench and Document UI in a read-only fashion, we need to give the user the following roles:

  • Query Select on the scope (to be able to use the UI)

  • Data Reader on the scope (so that the document REST API works)

  • Query Manage Index on the scope (to see whether indexes exist or not)

  • Query System Catalog (to show the buckets/scopes in the sidebar)

  • Execute Scope Functions on the scope, to be able to use UDFs

  • Execute Scope External Functions on the scope, to be able to use javascript UDFs

If we want the user to also be able to change data, they would also need:

  • Data Writer on the scope

  • Query Update, Query Insert, Query Delete on the scope

  • Manage Scope Functions and Manage External Scope Functions for UDFs

If we want a user to have read/write access to a scope, we need to give them 12 separate roles. It would be really nice if we had some higher level roles, such as:

  • UI reader - everything in the first 6 roles to allow UI read-access to the scope.

  • UI writer - everything in all 12 roles to allow UI read/write access to the scope.

Components

Affects versions

Fix versions

Labels

Environment

None

Release Notes Description

None

Activity

Show:

Vinathi Kanna September 25, 2024 at 4:04 AM

Removing Morpheus fix version and adding Ponyo.

Dave Finlay February 15, 2022 at 6:14 PM

We can certainly think of coming up with some "convenience roles" that aggregate finer-grained roles, but it's something we haven't done to date. Generally we first want finer-grained roles as there are always uses cases that don't want the bundling.

When / if we do create convenience roles that aggregate other roles, I think we should do it in a way that's clear to users what the aggregation is. It seems that the UI should also change and should not present something like "UI reader" as a separate independent role, but rather describe it as exactly the aggregation that defines it.

Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Abhijeeth Nuthan

Reporter

Story Points

1

Priority

Instabug

Open Instabug

PagerDuty

Sentry

Zendesk Support

Created February 15, 2022 at 5:44 PM
Updated September 25, 2024 at 4:04 AM
Instabug