Lists apps Permissions
- Khalilah Gambrell
- Kathleen Moore
- Matt Weaver
Requirement
As a system administrator, I want my library staff to only have access to lists that they have permissions to view records So that sensitive/confidential data is only available to library staff who must have access to it.
Phased planned for implementation
Q CSP release: Implement granular permissions for all entity/record types released
Support non-Eureka
Support Eureka
Ramsons release: Implement granular permissions for all entity/record types merged to Ramsons main branch
Support non-Eureka
Support Eureka
ECS consideration
Current Lists app permissions:
Lists (Admin): All permissions
Lists (Delete): Can create, edit, refresh, and delete lists
Lists (Edit): Can create, edit, and refresh lists
Lists (Enable): Can view lists
Lists (Export): Can create, edit, refresh, and export lists
Lists app
Implementation: Check entity’s existing permissions. In other words, check if a user has all “Get permissions” to view a entity type (aka record type). Second column represents the UI permissions that should align with Get permissions per entity/record type
Spreadsheet with analysis of current UI permissions that relate to each entity type
Note to KG: This requires very good release notes.
UX Workflow
# | Scenario | Lists app results list: Expected outcome | Lists app detail record: Expected outcome | Query plugin Expected outcome | Notes/comments/questions |
|---|---|---|---|---|---|
1 | User has all entity types “get” permissions assigned AND has a Lists app permission assigned |
| Create a new list: Record type selection > Show all entity types Edit a new list: No change Export a list: No change Duplicate a list: No change Delete a list: No change Refresh a list: No change Show columns: No change
| No change - only show the fields based on record type selection |
|
2 | User does not have all entity types “get” permissions assigned AND has a Lists app permission assigned |
| Create a new list: Record selection type > Show only entity types that the user has all “get permissions” assigned to view all available Lists app fields Edit a new list: No change Export a list: No change Duplicate a list: No change Delete a list: No change Refresh a list: No change Show columns: No change | Same as above |
|
3 | User has no entity type “get” permission assigned AND has a Lists app permission assigned | Do not display first pane, instead
| User cannot take any detail record action | User cannot access or do anything with query plug-in |
|
4 | User had a entity type “get” permissions assigned but no longer has that permission assigned AND has a Lists app permission assigned | See scenario 2 |
|
| MW - This seems like basically the same as scenario #2. Is this worth worrying about with special handling of this edge case at this point or should we leave it alone for now? |
5 | User has an entity type “get” permissions assigned BUT has no Lists app permission assigned | User cannot use the Lists app. Unsure it is possible to access the Lists app without… permissions to do so. This scenario should already be handled but should be tested. |
|
|
|
6 | Deferred for Q and Ramsons: User is assigned an entity type “get” permission that does not return all fields AND has list app permission assigned | See Scenario 2 | New - No change Duplicate - Only allow user to show/view fields they have access View - Only allow user to show/view fields they have access Export - Only allow user to export fields that have access Refresh - only allow user to show/view fields they have access
| Only allow user to create/edit a query on fields they have access Only allow user to show/view fields they have access |
|
