Permissions: Can Create, Edit and Remove Permission Sets
Description
Environment
Potential Workaround
blocks
is blocked by
relates to
Checklist
hideTestRail: Results
Activity
Mike Taylor May 3, 2017 at 1:59 PM
Took a while, but all the bits of this are now done.
Mike Taylor April 28, 2017 at 1:19 PM
Just testing quote-within-a-quote: ignore this comment.
One stray requirement in the story, BTW:
Settings app is visible in Recent Applications Toolbar
Of course, there is no Recent Applications Toolbar at this point – only the list of all available applications at top nearly-right. But there is a Settings link at top left, next to the FOLIO branding.
Cate Boerema April 28, 2017 at 1:11 PMEdited
One stray requirement in the story, BTW:
Settings app is visible in Recent Applications Toolbar
Of course, there is no Recent Applications Toolbar at this point – only the list of all available applications at top nearly-right. But there is a Settings link at top left, next to the FOLIO branding.
I know the icons in the top nav aren't the recent applications yet, but that's what we are calling it for lack of a better term. That's actually where the Settings icon belongs (I have never understood why it ended up on the left). Anyway, the idea behind this requirement is that, if you have permissions to at least one function within Settings, you should see the Settings icon in the top nav. If you don't, you shouldn't see it.
Mike Taylor April 28, 2017 at 9:30 AM
I have verified that the way things work at present is correct, as far as it goes:
perms.permissions.getis required to do any permission management at all, including seeing which permissions are contained in a set.perms.permissions.item.putis required to either add permissions to, or remove them from, a set.
So that accounts for bullet #1 in the previous comment. The others remain to be implemented.
Mike Taylor April 27, 2017 at 4:10 PM
So here's what I need to do:
Check which permissions are presently required for permission-set management operations, and that they are included in
users-bl.editpermsets.Do not display the "+" to add a new set if the user lacks
perms.permissions.item.postDo not display the "Delete Set" button if the user lacks
perms.permissions.item.deleteDo not display the "Add Permission" button or the "X"-for-delete buttons if the user lacks
perms.permissions.item.put
It would also be nice to hide the Permission Sets settings area from users without perms.permissions.get; but at present there can be no such users, as they wouldn't be able to fetch their own permissions during the login process. That can be filed as a separate issue for another day if we decide we want it.
Details
Details
Assignee
Mike TaylorReporter
Cate BoeremaPriority
P2
Purpose: Improve permissions handling so that assigned permissions control what options are presented to the user within FOLIO (currently all options are presented and you get an error when you attempt something you don't have rights to). The focus of this story is the "Can create, edit and remove permission sets" permission. Other stories will be added for other permissions.
Scenarios:
Scenario
Given User A has been assigned the "Can create, edit and remove permission sets" permission ONLY
When FOLIO is displayed
Then User A has the following rights:
Settings app is visible in Recent Applications Toolbar
"User permissions" link is visible under Settings > Users
User permission sets can be created, read, updated and deleted
Scenario
Given User A has been assigned the "Can create, edit and remove permission sets" permission ONLY
When FOLIO is displayed
Then User A does NOT have the following rights:
Users app is visible in Recent Applications Toolbar
Basic user data can be searched and filtered in Users app*
Restricted user data can be searched and filtered in the Users app*
Basic user fields can be viewed*
Restricted user fields can be viewed*
Direct linking to User search, results and details is allowed
User Edit button/icon is visible
Basic user fields can be edited*
Restricted user fields can be edited*
Direct linking to Edit User page is allowed
Create new user button is visible
User creation is permitted
Direct linking to Create User page is allowed
Can view permissions assigned to users
Can assign and unassign permissions to users
*NOTE: Items with asterisk assume we have implemented the distinction between basic and restricted fields. If we haven't yet done that, we can consolidate.
Scenario
Given I don't have rights to direct link to Page A
When I direct link to page A (e.g. I paste the url into my browser)
Then I should see the following message:
Header/Title: Permission Error
Text: Sorry - your user permissions do not allow access to this page.
NOTE: This is an edge case and it doesn't need to be pretty, but we do need to make sure it works so there's no back door to access things you shouldn't be able to access. We're flexible on how we do this.
Scenario
Given User A has been assigned the "Can create, edit and remove permission sets" permission AND another permission or set
When FOLIO is displayed
Then User A shall have the cumulative set of rights from all assigned permissions
Additional Info: A graphical representation of the rights by base permission can be found in this google sheet. Please note that the scope of the sheet is much larger than this particular story (and even includes some items that are out of scope for v1). Please reference the scenarios in this story for story scope.