Permissions: Can View Permissions Assigned to Users

Purpose: Improve permissions handling so that assigned permissions control what options are presented to the user within FOLIO (currently all options are presented and you get an error when you attempt something you don't have rights to). The focus of this story is the "Can view permissions assigned to users" permission. Other stories will be added for other permissions.

Scenarios:

1. Scenario

   • Given User A has been assigned the "Can view permissions assigned to users" permission ONLY

   • When FOLIO is displayed

   • Then User A has the following rights:

     • Users app is visible in Recent Applications Toolbar

     • Basic user data can be searched and filtered in Users app*

     • Restricted user data can be searched and filtered in the Users app*

     • Basic user fields can be viewed*

     • Restricted user fields can be viewed*

     • Direct linking to User search, results and details is allowed

     • Can view permissions assigned to users

     • *NOTE: Items with asterisk assume we have implemented the distinction between basic and restricted fields. If we haven't yet done that, we can consolidate.

2. Scenario

   • Given User A has been assigned the "Can view permissions assigned to users" permission ONLY

   • When FOLIO is displayed

   • Then User A does NOT have the following rights:

     • User Edit button/icon is visible

     • Basic user fields can be edited*

     • Restricted user fields can be edited*

     • Direct linking to Edit User page is allowed

     • Create new user button is visible

     • User creation is permitted

     • Direct linking to Create User page is allowed

     • Can assign and unassign permissions to users

     • Settings app is visible in Recent Applications Toolbar

     • "User permissions" link is visible under Settings > Users

     • User permission sets can be created, read, updated and deleted

     • *NOTE: Items with asterisk assume we have implemented the distinction between basic and restricted fields. If we haven't yet done that, we can consolidate.

3. Scenario

   • Given I don't have rights to direct link to Page A

   • When I direct link to page A (e.g. I paste the url into my browser)

   • Then I should see the following message:

     • Header/Title: Permission Error

     • Text: Sorry - your user permissions do not allow access to this page.

     • NOTE: This is an edge case and it doesn't need to be pretty, but we do need to make sure it works so there's no back door to access things you shouldn't be able to access. We're flexible on how we do this.

4. Scenario

   • Given User A has been assigned the "Can view permissions assigned to users" permission AND another permission or set

   • When FOLIO is displayed

   • Then User A shall have the cumulative set of rights from all assigned permissions

Additional Info: A graphical representation of the rights by base permission can be found in this google sheet. Please note that the scope of the sheet is much larger than this particular story (and even includes some items that are out of scope for v1). Please reference the scenarios in this story for story scope.