<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:07:07 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-617] Super user and super tenant</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-617</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;Consider if we need to have something analogous to the &apos;root&apos; user on Unix systems, a user that has implicit permission to do anything at all.&lt;/p&gt;</description>
                <environment></environment>
        <key id="80172">FOLIO-617</key>
            <summary>Super user and super tenant</summary>
                <type id="10002" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium">New Feature</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a">Heikki Levanto</reporter>
                                    <labels>
                    </labels>
                <created>Mon, 22 May 2017 12:38:03 +0000</created>
                <updated>Mon, 12 Nov 2018 14:23:33 +0000</updated>
                            <resolved>Tue, 25 Jul 2017 11:50:39 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>5</watches>
                                                    <timespent seconds="10800">3 hours</timespent>
                                <comments>
                                                            <comment id="192125" author="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a" created="Mon, 22 May 2017 12:47:07 +0000"  >&lt;p&gt;I can imagine a few different types of &apos;super&apos; users:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;One who may do anything at all, including creating and deleting tenants and modules&lt;/li&gt;
	&lt;li&gt;One that may operate on Okapi&apos;s module/tenant functions, but may not do stuff internal to a tenant (forgive fines)&lt;/li&gt;
	&lt;li&gt;One that may do anything at all, within his own tenant, but may not touch other tenants or Okapi itself&lt;/li&gt;
	&lt;li&gt;A specif super-tenant that is allowed to do Okapi stuff, but that will not have (regular) users, or many active modules to do anything library-like&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;There is a philosophical difference between a true superuser that implicitly has permission to do everything, and a mere mortal user who happens to have all permissions granted. The second one can have some permissions redacted, and when new modules are enabled, he will not automagically get full permissions for those. Whereas the true superuser will always have all permissions for all modules. &lt;/p&gt;

&lt;p&gt;I am not quite sure of how much of these we will ever need. I could imagine that we would need at least one operator who can create tenants and install new modules on a cluster, and who would not be part of any tenant as such. And that each tenant would need some kind of admin user, but that could just be a regular user who has the permission to grant any permission to any of his users, and maybe enable (already-installed) modules for his tenant...&lt;/p&gt;

&lt;p&gt;This needs some more thought and discussion...&lt;/p&gt;</comment>
                                                            <comment id="192126" author="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a" created="Mon, 22 May 2017 13:42:23 +0000"  >&lt;p&gt;I start to believe that we can get away with two kinds of &quot;super&quot; users, none of which needs to have true superuser superpowers:&lt;/p&gt;

&lt;p&gt;For the first, I think we need a special site-admin tenant that will be used for site administration only. Inside that tenant, we need to create a very powerful user (&quot;landlord&quot;?) that has powerful permissions to do various things like&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Manage tenants, modules, and other Okapi-related things&lt;/li&gt;
	&lt;li&gt;Enable and disable modules for any existing tenant (although the tenant&apos;s own admin should be allowed to do this as well)&lt;/li&gt;
	&lt;li&gt;Create lesser users inside this tenant and grant those some subset of his own powers.&lt;/li&gt;
	&lt;li&gt;This user may also need a permission to log in as a superuser inside a regular tenant, to see that all works there, but I am not quite sure of that.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;This tenant and site-admin user should be created as a part of the process of setting up a new Folio installation.&lt;/p&gt;

&lt;p&gt;For the second, I think we need a fairly powerful admin user within each tenant with powers to&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Enable and disable modules for the tenant (maybe with some restrictions, like not being allowed to disable the auth modules, not to leave the whole system wide open)&lt;/li&gt;
	&lt;li&gt;Create users and manage their permissions&lt;/li&gt;
	&lt;li&gt;Manage his own permissions&lt;/li&gt;
	&lt;li&gt;Bulk-load data into the system&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;This user should be created as a part of the process of creating a new tenant. He does not need magic permissions to do everything, he can grant permissions to himself if he needs.&lt;/p&gt;
</comment>
                                                            <comment id="192127" author="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a" created="Tue, 23 May 2017 09:29:10 +0000"  >&lt;p&gt;On the other hand, it would not be too difficult to define a superuser permission bit. If the user has that one set, the auth module could blindly grant what ever permissions are required or desired, without consulting the permissions module at all. That would be powerful, but also a security risk.  It would be possible to make the permissions graduated, so that a a regular superuser would be able to do anything within his own tenant, but still not get magic access to okapi-level operations, but this starts to get messy.&lt;/p&gt;

&lt;p&gt;I believe we can get far without introducing superusers at all. If needed, they can be added  later.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="53565">OKAPI-344</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzxo93:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>