generated from hackforla/.github-hackforla-base-repo-template
-
-
Notifications
You must be signed in to change notification settings - Fork 4
Open
Description
Overview
Define roles and security rules so that a user can be assigned appropriate privileges
Action Items
- Get approval from Bonnie
Overview
Define privileges for KB roles for user and groups so that KB users have privileges needed and no unneeded priviliges and no information they don't. Implementation will be a separate issue.
Action Items
- Review Detail Section
- Decide on which user fields are needed by KB users that will be displayed on the documents.
Details Draft
There will be an API kb/user. The API will enforce user security based on PD roles that start with kb. The roles will be seeded into the existing Django roles table.
Terminology: A contributor is a People Depot user with the kb-contributor role. The API will be secured using Django roles. Below are the Django roles and what a
name
linked in
website
Row Level Privileges
- kb-nonpriv: user that can be associated with a document but has no privileges
- no privilege
- kb-viewer: user that can view all information but has no privileges
- PD: can view up to date level 1 fields of a PD user and roles
- can view all KB info
- kb-contributor
- PD: can view up to date level 1 fields of a PD user and roles
- can view all KB info
- can create a document
- can assign themselves to a document
- can update documents to which they are assigned
- kb-docadmin
- PD: can view up to date level 1 fields of a PD user and roles for users with a kb role
- can view all KB info
- can create, read, and update all documents
- can assign and deassign any contributor to a document. Some contributors may be Hack4LA users.
- can update all documents
- kb-admin
- PD: can view up to date level 1 fields of a PD user and roles for users with a kb role
- can view all KB info
- can create, read, and update all documents
- can assign and deassign any contributor to a document. Some contributors may be Hack4LA users.
- can create, read, and update all kb info (e.g.: topic area) that is not sourced from PD (e.g., users, roles, practice areas, and topic areas)
Below this is specified in table format.
Role | Users | Assign Yourself | View All KB Info | Self Assign | Update assigned document | Update all documents and assignments |
| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
| kb-viewer | X | | | |
| kb-contributor | | | | |
| kb-docadmin | X | X | ||
| kb-poweuser | X | X | X |||
| kb-admin | X | X | X | X | X | X | X |
Field Level Privleges
- Read: Field level read privileges are the same for all users.
- Update: kb-admin and kb-useradmin can update any non-system fields that can be read except system populated fields.
- Create: kb-admin can specify any non-system field they can read