Date

30 Mar 2022

Attendees

Goals

Erin and Patty will present on UXPROD-3614 - Permissions Management improvements for Morning Glory

Discussion items

Time

Item

Who

Notes

5 min

Note taker

Maura

Maura took notes for this meeting.

30 min

Discuss UXPROD-3614

Erin and Patty

Erin shared a slide presentation explaining the changes that needed discussion for Morining Glory.

The way permissions management works in Kiwi is too broad, and needs to be tightened up.

In Lotus, developers added three permissions.
- Perms.users.assign.mutable ("mutable" = "Permission sets" in the UI)
- Perms.users.assign.immutable ("immutable" = "Permissions" in the UI)
- Perms.users.assign.okapi
The developers also added a function in Lotus where a user who was granted permission to assign or unassign permissions could not add permissions that they themselves didn't already possess.
For Morning Glory, developers need our input in the following:
- Are there use cases for permissions management where FOLIO users should only be able to assign permissions to other users that they already own? The SIG answered yes.
- Are there use cases for permissions management where FOLIO users should only be able to assign locally-created permission sets to other users? The SIG answered yes.
- Should a user be able to “Unassign all permissions” even if they include permissions that person doesn’t own? The SIG agreed with RA-SIG - This should be possible, but it should have its own permission.
- Proposed UI changes:
  - If User A needs to assign permissions to User B using the Users UI, the list that comes up should have a greyed-out checkbox for permissions that User A doesn't possess.
  - The term "Permission sets" should be changed to "Permission groups," to cut down on confusion.
The question boils down to three options:
- Option 1: keep Lotus functionality as-is, and any user with permission to assign/unassign permissions can do so regardless of whether they possess those permissions themselves.
- Option 2: The current permission named "Users: Can assign and unassign permissions to users" applies only to permissions to current user possesses. Also make the "Perms.users.assign.[mutable | immutable]" visible, specifically labeling each of them as permission to add/remove permissions (or sets) the current user doesn't possess.
- Option 3: Same as Option 2, except that the "Perms.users.assign.[mutable | immutable]" are combined and made visible.

The SIG favored Option 3.

Erin and Patty will write up User Stories for these functions.

Action items

Browser not supported