Create Right: Manage Roles

Description

There should be an Administrative type Right that a User may be assigned via a Role that allows them to Manage (View, Create, Edit) the Roles.

Acceptance:

there is a new Administrative type of right named USER_ROLES_MANAGE in Reference Data
the endpoint POST /api/roles and PUT /api/roles/{id} may use the above right in creating Administrative roles
the PUT, POST & DELETE endpoints (for collection and single resource) check if the User has the given right, returns a 403 if the User doesn't have the right
the GET endpoint requires the user has this right, or that the token is a service level token. Returns 403 otherwise.
RAML is updated
Check to ensure clients of updated endpoints don't break - raise an issue to the larger group if it does.

Attachments

OLMIS1556o.png

18 Jan, 2017

OLMIS1556n.png

18 Jan, 2017

OLMIS1556m.png

18 Jan, 2017

OLMIS1556l.png

18 Jan, 2017

OLMIS1556k.png

18 Jan, 2017

OLMIS1556j.png

18 Jan, 2017

OLMIS1556i.png

18 Jan, 2017

OLMIS1556h.png

18 Jan, 2017

OLMIS1556e.png

18 Jan, 2017

OLMIS1556d.png

18 Jan, 2017

OLMIS1556c.png

18 Jan, 2017

OLMIS1556a.png

18 Jan, 2017

OLMIS1556.png

18 Jan, 2017

Linked work items

is blocked by

OLMIS-1497

Implement service-level rights pattern based on PoC code

Confluence content

mentioned on

https://openlmis.atlassian.net/wiki/spaces/OP/pages/106627087/Backlog+Grooming+Sprint+17

QAlity Plus - Test Management

Checklists

Activity

Anna Czyrko

January 18, 2017 at 12:51 PM

To sum up - all works:

POST /api/roles
PUT /api/roles/ {roleId}
GET /api/roles/{roleId}
DELETE /api/roles/ {roleId}
GET /api/roles

Anna Czyrko

January 18, 2017 at 12:49 PM

POST /api/roles
administrator:

devadmin:

PUT /api/roles/{roleId}
administrator:

devadmin

GET /api/roles/{roleId}
administrator:

devadmin:

DELETE /api/roles/{roleId}
administrator:

devadmin

Anna Czyrko

January 18, 2017 at 12:21 PM

(edited)

there is a new Administrative type of right named USER_ROLES_MANAGE in Reference Data

the endpoint POST /api/roles and PUT /api/roles/{id} may use the above right in creating Administrative roles

the PUT, POST & DELETE endpoints (for collection and single resource) check if the User has the given right, returns a 403 if the User doesn't have the right

the GET endpoint requires the user has this right, or that the token is a service level token. Returns 403 otherwise.

administrator:

devadmin:

RAML is updated

Chongsun Ahn

January 17, 2017 at 4:37 AM

@Sebastian Brudziński @Josh Zamor The style guide in the service template specifies that names should have a RESOURCE_ACTION pattern, so ROLES_MANAGE. It does not specify a service/component prefix. After some thought on it, I think it is appropriate not to have a service/component prefix, since a right may not necessarily belong to a service (an example is SYSTEM_SETTINGS_MANAGE, to manage system settings for the whole system, not just one service). So in this case, I think ROLES_MANAGE is good. I would prefer to pluralize resources (so ROLES_MANAGE, not ROLE_MANAGE), since the right is to manage roles, not manage just one role.

Josh Zamor

January 16, 2017 at 7:14 PM

Good point. @Chongsun Ahn does the guidance cover this? Or did I remember our discussion wrong? @Sebastian Brudziński we will clear this up by tomorrow, we're on holiday here.

Resize work item view side panel

Done

Pinned fields

Click on the next to a field label to start pinning.

Details

Assignee

Sebastian Brudziński

Reporter

Josh Zamor(Deactivated)

Labels

RBAC

Story Points

Original estimate

1d 4h

Time tracking

1d 4h logged

Components

Reference Data

Sprint

Add sprint

Fix versions

3.0

Priority

Minor

Time Assistant

Created December 29, 2016 at 5:10 AM

Updated January 18, 2017 at 12:52 PM

Resolved January 18, 2017 at 12:52 PM