Agreements: Implement RBAC based access to resources
Description
Current situation or problem: Currently if a user has read/write access to agreements, they can access all the agreement / agreement line and other data in the agreements module.
This story is to implement a role based access control model to enable more selective access to specific agreements / agreement lines as necessary.
Note that a number of modules (Orders, Organisations, Invoices, Finance) implement selective access to resources using the concept of "acquisition units" which allows a user to be linked to one or more "units" (essentially representing a group of users), and equally specific orders/organisations/invoices/funds to be only accessible to users who belong to particular units
In terms of user facing experience, it is important that the mechanism implemented in Agreements is compatible with the existing Acq units, and doesn't require the user to setup and assign their groups/units multiple times
In scope An RBAC based model that can be used in Agreements, and in the future other Bienenvolk modules. This will make it possible to limit access to particular agreements and related agreement lines to particular groups of users. It will act in parallel to the existing authorisation granted through permissions defined in the module which control whether a user has create/read/update/delete permissions for particular endpoints in the module.
From the users perspective, the implementation should work seamlessly with the Acquisition Units used by Orders/Organisations/Invoices/Finance
Out of scope
Use case(s) Limit access to view an agreement to users from a specific team or group within a tenant (which could represent a single library or multiple libraries)
Proposed solution/stories
Links to additional info
Questions
Does the Agreement line (entitlement) always inherit the access from the agreement, or should it be possible to set the agreement line access separately?
Aside from agreements and agreement lines (entitlements) do any other types of resource in Agreements need to be protected by RBAC?
Which, if any, queries will need to be re-written to apply RBAC policies (i.e. in the case where a query has been hand-written in order to gain performance)
Current situation or problem:
Currently if a user has read/write access to agreements, they can access all the agreement / agreement line and other data in the agreements module.
This story is to implement a role based access control model to enable more selective access to specific agreements / agreement lines as necessary.
Note that a number of modules (Orders, Organisations, Invoices, Finance) implement selective access to resources using the concept of "acquisition units" which allows a user to be linked to one or more "units" (essentially representing a group of users), and equally specific orders/organisations/invoices/funds to be only accessible to users who belong to particular units
In terms of user facing experience, it is important that the mechanism implemented in Agreements is compatible with the existing Acq units, and doesn't require the user to setup and assign their groups/units multiple times
In scope
An RBAC based model that can be used in Agreements, and in the future other Bienenvolk modules. This will make it possible to limit access to particular agreements and related agreement lines to particular groups of users. It will act in parallel to the existing authorisation granted through permissions defined in the module which control whether a user has create/read/update/delete permissions for particular endpoints in the module.
From the users perspective, the implementation should work seamlessly with the Acquisition Units used by Orders/Organisations/Invoices/Finance
Out of scope
Use case(s)
Limit access to view an agreement to users from a specific team or group within a tenant (which could represent a single library or multiple libraries)
Proposed solution/stories
Links to additional info
Questions
Does the Agreement line (entitlement) always inherit the access from the agreement, or should it be possible to set the agreement line access separately?
Aside from agreements and agreement lines (entitlements) do any other types of resource in Agreements need to be protected by RBAC?
Which, if any, queries will need to be re-written to apply RBAC policies (i.e. in the case where a query has been hand-written in order to gain performance)