Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make admin web app accessible with users with different roles and permissions #1187

Closed
lakshithagunasekara opened this issue Jan 5, 2023 · 8 comments

Comments

@lakshithagunasekara
Copy link

Problem

Currently, admin web app is not developed to restrict different sections based on the scopes. Only the workflow sections check for the workflow-related scopes [1] before loading and because of it, we can't allow different roles of users to access the admin web app.

[1] - https://github.com/wso2/apim-apps/blob/main/portals/admin/src/main/webapp/source/src/app/components/AdminPages/Dashboard/Dashboard.jsx#L43

Solution

Evaluate the scopes of each section before render.

Affected Component

APIM

Version

No response

Implementation

No response

Related Issues

No response

Suggested Labels

No response

@hasuniea
Copy link

hasuniea commented Apr 17, 2023

We had a design review to finalize the design.

Admin web app is not developed to restrict different sections based on the scopes. Currently any user with apim:admin scope can view all the sections (Rate limiting policies,

Gateways, API Categories, Key Managers, Settings except Tasks). We can restrict each section by checking each user's scopes from the UI. But if we can go with an in- built

role(internal role) for common scenarios such as task managing, rate limiting, settings ..etc. we can reduce the overhead of assigning multiple scopes for the users.

We will have to create internal roles for each operation as in below.


Admin portal Section Scopes Suggested internal Role
Rate Limiting policies apim:tier_view, apim:policies_import_export, apim:tier_manage, apim:bl_manage, apim:bl_view Policy manager
Gateways apim:environment_manage, apim:environment_read Gateway manager
API categories admin_operations Category manager
KeyManagers admin_operations Keymanager admin
Tasks apim:api_workflow_view, apim:api_workflow_approve, apim:tenantInfo ,apim:admin_settings Workflow manager
Settings: Applications apim:app_owner_change, apim:app_import_export, apim:admin_application_view application manager
Settings: Scope Assignment apim:scope_manage, apim:role_manage scope manager

In case of the design, the user experience may be easy as follows.
Customers want to restrict admin users for the work-flow functionalities, they just assign admin users to internal/workflowManger roles. When an admin user logs to the admin portal, he/she can only see the tasks left side menu.

@hasuniea
Copy link

By considering the user experience and the maintainability, we discussed to go with an internal/manager role which is bound to most common user scenarios such as tasks and rate limiting policies. It is the default role which will go with the pack. Besides that, if someone wants to add other functionalities to it or else if the user wants to restrict only for one operation, he/she has to follow the doc and create custom roles and map related scopes to it.

@hasuniea
Copy link

We had a code review and asked to create a new constant file and put the necessary constants in there without adding it to the public accessible settings.js.

@hasuniea
Copy link

I created separate file and still the PR is in review

@hasuniea
Copy link

hasuniea commented May 15, 2023

Please find the doc [1], PRs [2]
[1]. https://docs.google.com/document/d/1a4hrjD3VrPJ81BpN21-x1DX8y54pXXByqgqAVeVk6uA/edit?usp=sharing
[2]. i. Carbon-apimgt PR - wso2/carbon-apimgt#12135
ii. UI PR - wso2/apim-apps#492
iii Doc PR - wso2/docs-apim#6989

@chamilaadhi
Copy link
Contributor

Additional Fixes
wso2/carbon-apimgt#12182
wso2/apim-apps#513

@chamilaadhi
Copy link
Contributor

Integration test fixes
wso2/product-apim#13287
wso2/product-apim#13290

@chamilaadhi
Copy link
Contributor

Remove invalid scopes wso2/apim-apps#514

@npamudika npamudika added this to the 4.3.0-M1 milestone Jan 3, 2024
@npamudika npamudika added 4.3.0 4.3.0-M1 4.3.0 M1 Milestone and removed 4.x.x labels Jan 3, 2024
@chamilaadhi chamilaadhi self-assigned this Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants