Skip to end of banner
Go to start of banner

Proposed Permission Set Guidelines

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Overview

One outcome of a recent investigation into misleading permission set configuration ( FOLIO-2565 - Getting issue details... STATUS ) is the proposal of new guidelines for permission sets.  This document serves as a place to capture that proposal and elicit feedback from others and facilitate discussion. 

Naming Conventions

  1. Name the permission sets appropriately, e.g. avoid inclusion of POST/PUT/DELETE permissions in "*.view" permission sets.

    • Good: 

      {
  "permissionName": "ui-erm-usage.view-create-edit",
  "displayName": "eUsage: Can view, create and edit usage data providers and COUNTER reports",
  "id": "ade748af-66b5-4584-a319-3cac20899241",
  "description": "Can view, create and edit usage data providers and COUNTER reports",
  "tags": [],
  "subPermissions": [
    "module.erm-usage.enabled",
    "usagedataproviders.collection.get",
    "usagedataproviders.item.get",
    "usagedataproviders.item.post",
    "usagedataproviders.item.put",
    "counterreports.collection.get",
    "counterreports.item.get",
    "counterreports.item.post",
    "counterreports.item.put",
    "aggregatorsettings.collection.get",
    "aggregatorsettings.item.get"
  ],
  "childOf": [],
  "grantedTo": [
    "fba0106d-e2ad-494e-8958-ce5b447ab2aa"
  ],
  "mutable": false,
  "visible": true,
  "dummy": false
}

    • Bad: 

      {
  "permissionName": "ui-receiving.basic.view",
  "displayName": "Receiving: Basic view",
  "id": "5542bb26-9eff-4699-a7c5-6e6a049979d7",
  "tags": [],
  "subPermissions": [
    "module.receiving.enabled",
    "orders.item.get",
    "orders.pieces.item.post",
    "orders.pieces.item.put",
    "orders.po-lines.collection.get",
    "orders.titles.collection.get",
    "orders.titles.item.get",
    "ui-receiving.third-party-services"
  ],
  "childOf": [
    "ui-receiving.view"
  ],
  "grantedTo": [],
  "mutable": false,
  "visible": false,
  "dummy": false
}
  2. Permission sets for modulePermissions should use the "modperms" prefix.  These also should not be visible as they aren't intended to be assigned to users.

    • Example: 

        "permissionName": "modperms.circulation.loans.anonymize",
  "permissionName": "modperms.circulation.override-renewal-by-barcode.post",
  "permissionName": "modperms.circulation.renew-by-barcode.post",
  "permissionName": "modperms.circulation.requests.item.move.post",
  "permissionName": "modperms.circulation.renew-by-id.post",
  "permissionName": "modperms.circulation.requests.item.post",
  "permissionName": "modperms.circulation.override-check-out-by-barcode.post",
  "permissionName": "modperms.circulation.requests.item.put",
  "permissionName": "modperms.circulation.requests.instances.item.post",
  "permissionName": "modperms.circulation.check-out-by-barcode.post",
  "permissionName": "modperms.orders.item.post",
  "permissionName": "modperms.orders.item.put",
  3. TBD

Backend Modules

  • Avoid inclusion of other modules permissions in your permission sets.  For example, mod-foo's permission set foo.all shouldn't include mod-bar's bar.item.get permission.  Here it's the module that needs the permission, not the user.
    • Do:  include the other module's permission(s) in your modulePermissions (or non-visible modulePermission sets - see above)
    • Don't:  include other modules permissions in your visible permission sets that will be assigned to users.

UI Modules

  • Define separate permission sets for settings if other other module permissions are needed (e.g. configuration.entries.collection.get). 
    • Example: "ui-users.settings.customfields.edit" probably needs configuration.entries.collection.get, but "ui-users.view" probably doesn't.  If needed, additional permission sets should be created with appropriate names.

Using *.all Permissions

  • Only include *.all permissions when absolutely sure it's necessary/appropriate.  Instead use just the permissions actually needed.

    • Example of a permission set that probably abuses *.all permissions 

      {
  "permissionName": "ui-checkin.all",
  "displayName": "Check in: All permissions",
  "id": "094310c8-cd71-4b76-a10d-2921ccd10654",
  "description": "Entire set of permissions needed to use Checkin",
  "tags": [],
  "subPermissions": [
    "circulation.all",
    "circulation-storage.all",
    "configuration.all",
    "users.collection.get",
    "usergroups.collection.get",
    "module.checkin.enabled",
    "inventory.items.collection.get",
    "inventory-storage.service-points.collection.get"
  ],
  "childOf": [],
  "grantedTo": [
    "fba0106d-e2ad-494e-8958-ce5b447ab2aa"
  ],
  "mutable": false,
  "visible": true,
  "dummy": false
}

Other Considerations

  • Sensitive information should NEVER be stored in mod-configuration. SMTP credentials, RMAPI credentials, etc. should be stored behind their own endpoints which are protected with distinct permissions.
  • We might want to take a look at ways to make the permissions of this module more granular, perhaps something could be done using desiredPermissions / X-Okapi-Permissions? Though I'm not sure this is really doable or even worth it. I think I'm in favor of just moving away from mod-configuration altogether (see below)
  • We should consider moving away from using mod-configuration in general. The cross-app nature of this module makes it difficult to deal with other things like sample/reference data... what if you want some reference data loaded into mod-configuration, but not all of it?
    • See  FOLIO-2583 - Getting issue details... STATUS
    • One use case where it probably makes sense to continue to have centralized configuration is for things that are truly shared across multiple apps, e.g. the tenant settings
  • How do we handle "migration" of permission sets as teams clean things up?
    • One idea is to do something like add a field to the module descriptor that allows you to specify that this permission set "replaces" one named XYZ.  This would result the swapping and cleanup of permissions.
    • A spike is likely forthcoming for this.

Appendix

Examples of Permission Sets with Misleading Names

[{
  "permissionName": "ui-receiving.basic.view",
  "displayName": "Receiving: Basic view",
  "id": "5542bb26-9eff-4699-a7c5-6e6a049979d7",
  "tags": [],
  "subPermissions": [
    "module.receiving.enabled",
    "orders.item.get",
    "orders.pieces.item.post",
    "orders.pieces.item.put",
    "orders.po-lines.collection.get",
    "orders.titles.collection.get",
    "orders.titles.item.get",
    "ui-receiving.third-party-services"
  ],
  "childOf": [
    "ui-receiving.view"
  ],
  "grantedTo": [],
  "mutable": false,
  "visible": false,
  "dummy": false
},{
  "permissionName": "ui-organizations.basic.view",
  "displayName": "Organizations: Basic view",
  "id": "c0f97cdc-7fb5-46b1-814c-d78b58d62da0",
  "tags": [],
  "subPermissions": [
    "module.organizations.enabled",
    "organizations-storage.accounts.collection.get",
    "organizations-storage.accounts.item.get",
    "organizations-storage.addresses.collection.get",
    "organizations-storage.addresses.item.get",
    "organizations-storage.agreements.collection.get",
    "organizations-storage.agreements.item.get",
    "organizations-storage.aliases.collection.get",
    "organizations-storage.aliases.item.get",
    "organizations-storage.categories.collection.get",
    "organizations-storage.categories.item.get",
    "organizations-storage.contacts.all",
    "organizations-storage.emails.collection.get",
    "organizations-storage.emails.item.get",
    "organizations-storage.interfaces.all",
    "organizations-storage.organizations.collection.get",
    "organizations-storage.organizations.item.get",
    "organizations-storage.phone-numbers.collection.get",
    "organizations-storage.phone-numbers.item.get",
    "organizations-storage.urls.collection.get",
    "organizations-storage.urls.item.get",
    "ui-organizations.third-party-services"
  ],
  "childOf": [
    "ui-organizations.view",
    "ui-organizations.creds.view"
  ],
  "grantedTo": [],
  "mutable": false,
  "visible": false,
  "dummy": false
},{
  "permissionName": "ui-licenses.licenses.view",
  "displayName": "Licenses: Search & view licenses",
  "id": "9f9bad1c-dfbd-4c36-98f6-7ef9c8c722d6",
  "tags": [],
  "subPermissions": [
    "module.licenses.enabled",
    "tags.item.post",
    "licenses.licenses.view",
    "licenses.files.view",
    "licenses.contacts.view",
    "licenses.custprops.view",
    "licenses.orgs.view"
  ],
  "childOf": [
    "ui-licenses.licenses.edit",
    "ui-licenses.licenses.delete"
  ],
  "grantedTo": [],
  "mutable": false,
  "visible": true,
  "dummy": false
},{
  "permissionName": "ui-notes.item.view",
  "displayName": "Notes: Can view a note",
  "id": "ccb872ae-eb1b-421d-9b36-4f818e96bde7",
  "tags": [],
  "subPermissions": [
    "note.types.collection.get",
    "notes.item.get",
    "notes.collection.get",
    "notes.collection.get.by.status",
    "notes.domain.all",
    "module.notes.enabled"
  ],
  "childOf": [
    "ui-notes.item.create",
    "ui-notes.item.edit",
    "ui-notes.item.delete",
    "ui-notes.item.assign-unassign"
  ],
  "grantedTo": [],
  "mutable": false,
  "visible": true,
  "dummy": false
},{
  "permissionName": "ui-receiving.view",
  "displayName": "Receiving: View",
  "id": "33096278-520c-4268-8f2f-a5075e8e7171",
  "tags": [],
  "subPermissions": [
    "orders.check-in.collection.post",
    "orders.receiving.collection.post",
    "settings.receiving.enabled",
    "ui-receiving.basic.view"
  ],
  "childOf": [
    "ui-receiving.edit"
  ],
  "grantedTo": [],
  "mutable": false,
  "visible": true,
  "dummy": false
}]



  • No labels