[UXPROD-4500] Granular permissions: grant permission for each entity/record type Created: 13/Oct/23  Updated: 25/Jan/24

Status: In Refinement
Project: UX Product
Components: None
Affects versions: None
Fix versions: Quesnelia (R1 2024)

Type: New Feature Priority: P3
Reporter: Kathleen Moore Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Continues
is continued by UXPROD-4673 Improve FQM's permission model Draft
Defines
defines MODFQMMGR-38 Implement permissions for entity types Open
Relates
relates to MODFQMMGR-38 Implement permissions for entity types Open
Release: Quesnelia (R1 2024)
Development Team: Corsair
PO Rank: 0

 Description   

Current situation or problem: Right now, if someone has access to FQM (or Lists), they have access to everything exposed by those modules. This feature is to lock those down a little by adding a new separate permission for each entity/record type, so that users can be given more targeted permissions

In scope

  • A content permission (one per entity-type) enables access to lists of that entity-type
  • Lack of the content permission prevents access to lists of that entity-type
  • users will be required to have content permission(s) + lists app permission(s) [these permissions already exist] to use the Lists app
  • Limit entity types when creating a list based on content permissions
    • Record type dropdown limited by permissions
    • Error/messaging if you don't have permissions for any entity-type 
  • On the lists landing page, limit viewing of lists based on content permissions
  • On the lists landing page, limit filtering of entity types based on content permissions
  • Provide an appropriate error message/warning when provided a direct link to a list the user doesn't have access to

Out of scope

  • Permissions per field within an entity-type
  • Unique pairing of lists app permission(s) with content permission(s)
    • A single user can't be provided 'view' access for the 'items' entity-type and 'edit' access for the 'loans' entity type.  

Use case(s)

  • Scenario: Content permission enables access per entity type 
    Given a content permission is available per entity type 
    When a user has the content permission for an entity type enabled
    Then the user can access content* in the Lists app for that entity type 
  • Scenario: Lack of content permission prevents access per entity type 
    Given a content permission is available per entity type 
    When a user does NOT have the content permission for an entity type 
    Then the user CAN NOT access content* in the Lists app for that entity type
    • Example 1: User A has admin permissions for the Lists app (and can view, create, edit, delete and export in the Lists app). User A also has the content permission enabled for the 'Users' and 'Items' entity types. User A can only view, create, edit, delete and export lists for the 'Users' and 'Items' entity type - access to 'Loans,' 'Purchase order lines' or other entity types is prevented.
    • Example 2: User B has viewing permissions for the Lists app. User B has content permissions for the 'Loans' entity type. User B can only view lists of the 'Loans' entity-type - access to any other entity types is prevented. 

Proposed solution/stories

 

Links to additional info

Questions


Generated at Fri Feb 09 00:40:23 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.