A set of naming conventions for permissions
The components of the permission names should be used in a hierarchical manner, from the most general (module) to the most specific (action). The permission name should contain the following components separated by a dot.
1. Module-Specific Prefix
Convention: Start with a service-specific prefix indicating the Folio module.
Example:
finance-storage
infinance-storage.budgets.item.post
.
2. Resource Identifier
Convention: Follow with a resource identifier, specifying the particular resource is being accessed or modified.
Example:
budgets
infinance-storage.budgets.item.post
.
3. Entity Scope
Convention: Indicate the scope of the operation: whether it's for a single entity (
item
) or multiple entities (collection
).Example:
item
infinance-storage.budgets.item.post
signifies an operation on a single budget entity.
4. Procedural Permissions
Convention: Use a clear and descriptive name for procedural permissions, usually ending with an action verb.
Example:
invoice-transaction-summaries.execute
infinance.invoice-transaction-summaries-execute
.
5. Action Verb
Convention:
Backend permission action verbs: Use HTTP-like verbs to specify the action. The available action verbs are:
get
for retrievalpost
for creation and executionput
for updatespatch
for partial updatesdelete
for deleteexecute
for execution
Frontend permission action verbs are:
view
for viewing of entitiesedit
for edit of entitiescreate
for creation of entitiesenabled
- single permission for the module, that marked it “enabled“
Example:
post
infinance-storage.budgets.item.post
indicates a creation operation,create
in "ui-inventory.item.create"
6. Settings Permissions
The settings permissions should not have action verb.
Example:
ui-inventory.settings.call-number-types
7. General Permissions
Convention: For broad or general permissions that encompass multiple actions or resources, use a comprehensive term followed by
all
.Example:
funds.all
infinance.funds.all
indicates a permission that applies to all actions related to funds.
Current naming conventions violations
In the file above there are permissions, that are not matched with algorithm, that uses the naming conventions.
Common conventions violations cases are:
The backend action verb (e.g. execute, post) is omitted: circulation.internal.apply-rules , circulation.override-patron-block, okapi.env.list
The frontend action verb (e.g. edit, execute) is omitted: ui-users.loans.renew, ui-users.loans.renew
The general postfix ui-orders.third-party-services, ui-users.feefineactions, ui-users.accounts
Using non-standard action verbs: user-import.add, ui-users.loans.anonymize, mod-settings.global.read.ui-ldp.admin, ui-inventory.instance.createOrder
Adding additional details after the action verb: ui-bulk-edit.view.base,
Conclusion
These conventions should help in maintaining a structured and clear approach to defining permissions, making it easier for developers and administrators to understand and manage access controls within the Folio.