Overview

One outcome of a recent investigation into misleading permission set configuration (

...

• Avoid inclusion of other modules permissions in your permission sets.  For example, mod-foo's permission set foo.all shouldn't include mod-bar's bar.item.get permission.  Here it's the module that needs the permission, not the user.
  • Do:  include the other module's permission(s) in your modulePermissions (or non-visible modulePermission sets - see above)
  • Don't:  include other modules permissions in your visible permission sets that will be assigned to users.

UI Modules

• Define separate permission sets for settings if other other module permissions are needed (e.g. configuration.entries.collection.get). 
  • Example: "ui-users.settings.customfields.edit" probably needs configuration.entries.collection.get, but "ui-users.view" probably doesn't.  If needed, additional permission sets should be created with appropriate names.

Other Considerations

• Sensitive information should NEVER be stored in mod-configuration. SMTP credentials, RMAPI credentials, etc. should be stored behind their own endpoints which are protected with distinct permissions.
• We might want to take a look at ways to make the permissions of this module more granular, perhaps something could be done using desiredPermissions / X-Okapi-Permissions? Though I'm not sure this is really doable or even worth it. I think I'm in favor of just moving away from mod-configuration all together (see below)
• We should consider moving away from using mod-configuration in general. The cross-app nature of this module makes it difficult to deal with other things like sample/reference data... what if you want some reference data loaded into mod-configuration, but not all of it?
• TBD

...