RBAC: too many different roles needed for UI access to single scope
Description
Affects versions
Fix versions
Labels
None
Environment
None
Release Notes Description
None
Activity
Show:
Vinathi Kanna September 25, 2024 at 4:04 AM
Removing Morpheus fix version and adding Ponyo.
Dave Finlay February 15, 2022 at 6:14 PM
We can certainly think of coming up with some "convenience roles" that aggregate finer-grained roles, but it's something we haven't done to date. Generally we first want finer-grained roles as there are always uses cases that don't want the bundling.
When / if we do create convenience roles that aggregate other roles, I think we should do it in a way that's clear to users what the aggregation is. It seems that the UI should also change and should not present something like "UI reader" as a separate independent role, but rather describe it as exactly the aggregation that defines it.
Pinned fields
Click on the next to a field label to start pinning.
Details
Assignee
Reporter
Eben Haber
Eben HaberStory Points
1
Priority
Major
Instabug
Open Instabug
PagerDuty
PagerDuty Incident
PagerDuty Incident
Sentry
Linked Issues
Linked Issues
Zendesk Support
Linked Tickets
Linked Tickets
Created February 15, 2022 at 5:44 PM
Updated September 25, 2024 at 4:04 AM
Instabug
I've been testing the UI in a multi-tenancy scenario, where the user has access to a single scope. In order to use the Query Workbench and Document UI in a read-only fashion, we need to give the user the following roles:
Query Select on the scope (to be able to use the UI)
Data Reader on the scope (so that the document REST API works)
Query Manage Index on the scope (to see whether indexes exist or not)
Query System Catalog (to show the buckets/scopes in the sidebar)
Execute Scope Functions on the scope, to be able to use UDFs
Execute Scope External Functions on the scope, to be able to use javascript UDFs
If we want the user to also be able to change data, they would also need:
Data Writer on the scope
Query Update, Query Insert, Query Delete on the scope
Manage Scope Functions and Manage External Scope Functions for UDFs
If we want a user to have read/write access to a scope, we need to give them 12 separate roles. It would be really nice if we had some higher level roles, such as:
UI reader - everything in the first 6 roles to allow UI read-access to the scope.
UI writer - everything in all 12 roles to allow UI read/write access to the scope.