Permissions naming convention
- Oleksii Kuzminov
- Craig McNally
- Julian Ladisch
- Taras Spashchenko
A set of naming conventions for permissions
The components of the permission names should be used in a hierarchical manner, from the most general (module) to the most specific (action). The permission name should contain the following components separated by a dot.
1. Module-Specific Prefix
Convention: Start with a service-specific prefix indicating the Folio module. The
mod-prefix should be excluded.Example:
finance-storageinfinance-storage.budgets.item.postExample:
notesinnotes.item.put
2. Resource Identifier
Convention: Follow with a resource identifier, specifying the particular resource is being accessed or modified.
Example:
budgetsinfinance-storage.budgets.item.post.Example:
fiscal-yearsinfinance-storage.fiscal-years.item.delete
3. Entity Scope
Convention: Indicate the scope of the operation: whether it's for a single entity (
item) or multiple entities (collection).Example:
iteminfinance-storage.budgets.item.postsignifies an operation on a single budget entity.Example:
collectioninfinance-storage.budgets.collection.getsignifies an operation on a collection of budget entities. This is often used for for “get-by-query” or “delete-by-query” operations.
4. Procedural Permissions
Convention: Use a clear and descriptive name for procedural permissions, usually ending with an action verb.
Example:
invoice-transaction-summaries.executeinfinance.invoice-transaction-summaries.executeExample:
check-out-by-barcode.postincirculation.check-out-by-barcode.post
5. Action Verb
Convention:
Backend permission action verbs: Use HTTP-like verbs to specify the action. The available action verbs are:
getfor retrievalpostfor creation and executionputfor updatespatchfor partial updatesdeletefor deleteexecutefor execution
Frontend permission action verbs are:
viewfor viewing of entitieseditfor edit of entitiescreatefor creation of entitiesdeletefor deletion of entitiesenabled- single permission for the module, that marked it “enabled“execute- for actions' executionsmanage- any kind of aggregators or whenexecutesounds weird
Example:
postinfinance-storage.budgets.item.postindicates a creation operation,createin "ui-inventory.item.create"
6. Settings Permissions
The settings permissions should not have action verb.
Example:
ui-inventory.settings.call-number-types
7. General Permissions
Convention: For broad or general permissions that encompass multiple actions or resources, use a comprehensive term followed by
all.Example:
funds.allinfinance.funds.allindicates a permission that applies to all actions related to funds.
Use of punctuation
As described above, permission names are segmented, with segments delimited by dot/period .
Within each segment, there is sometimes a need for further segmentation. E.g. check-in-by-barcode or inventory-storage. These segments are usually delimited by dash/hyphen -. When translating these permissions to corresponding resource/action, these dashes/hyphens are carried forward. For instance:
Given permission
ui-inventory.call-number-browse.viewyou end up with:resource:
UI-Inventory Call-Number-Browseaction:
view
Given permission
orders-storage.po-lines.item.getyou end up with:resource:
Orders-Storage Po-Lines Itemaction:
view
As shown in the examples above, when forming the resource name, the hyphens/dashes are carried forward and the dots/periods are replaced by a single space when forming the resource name.
Underscores, while not commonly used in permission names, are technically valid. These, like dot/period are replaced by a single space when forming the resource name. For example:
Given the permission
erm.sts_for_platform_id.collection.getyou end up with:resource:
Erm Sts For Platform Id Collectionaction:
view
Current naming conventions violations
The wiki page Permissions violations lists permissions which do not align with the naming conventions described herein. Common convention violations include:
The backend action verb (e.g. execute, post) is omitted: circulation.internal.apply-rules , circulation.override-patron-block, okapi.env.list
The frontend action verb (e.g. edit, execute) is omitted: ui-users.loans.renew, ui-users.loans.renew
The general postfix ui-orders.third-party-services, ui-users.feefineactions, ui-users.accounts
Using non-standard action verbs: user-import.add, ui-users.loans.anonymize, mod-settings.global.read.ui-ldp.admin, ui-inventory.instance.createOrder
Adding additional details after the action verb: ui-bulk-edit.view.base,
Conclusion
These conventions should help in maintaining a structured and clear approach to defining permissions, making it easier for developers and administrators to understand and manage access controls within the Folio.
@Niels Erik Nielsen I just saw this comment for the first time now. Sorry about that. I will raise this question with the Eureka team. Your comment is quite old at this point. I wonder what if anything was done in the modules you refer to wrt upsert endpoints.
Not what I know of, no. This is from mod-settings’s readme
It seems very unlikely that there would be an upsert action that is using a separate endpoint than just a regular insert action. E.g. if POST /someitem either creates new OR updates existing item - e.g. does update/insert=upsert - than this is a single endpoint, and it’s sufficient to have single permission - e.g. with <name>.item.post in name (or <name>.item.put).
With regard to an example provided with import of multiple entries in mod-settings via “PUT /settings/upload” - this is not just an upsert operation, because simple upsert is for single entry. This is an import action, e.g. batch create - or batch upsert in this case.
Again, same logic applies - there will probably never be two separate endpoints for batch insert and batch upsert - there is just one batch upsert. And thus we only need single permission for batch upsert, which would be same as for batch create - <name>.collection.put (or <name>.collection.post - not sure why they use PUT and not POST for import)
“not sure why they use PUT and not POST for import”
The convention says it. Use
putfor updates
and the API in question updates 🤷♂️
Well, if it’s an upsert - then it does both creation and update, not just update. In which case it seems POST would be a preferred choice in my opinion.
But it can be PUT as well, I suppose that’s not very important.
This set of verbs doesn’t seem to cover so-called “upsert” actions, that is APIs that for the client’s convenience and for performance optimization decides on the fly whether submitted records are updates or creates?
mod-settings, mod-inventory-update and possibly other modules have APIs like that, and the convention would force a choice that cannot accurately reflect the action.
Also, if you have both an update, an insert and an upsert action for a given API, it appears you could end up with permission name collisions, following these conventions in combination with section 3.