introduces agent+guest role for role-system around debitor+partner
This commit is contained in:
parent
de0c8dcfbc
commit
0b60b9f0ff
41
doc/rbac.md
41
doc/rbac.md
@ -220,19 +220,52 @@ By this, all roles ob sub-objects, which are assigned to the 'admin' role, are a
|
||||
The admin-role is granted to a role of those subjects who manage the business object.
|
||||
E.g. a 'package' is manged by the admin of the customer.
|
||||
|
||||
Whoever has the admin-role assigned, do everything with the related business-object, including deleting (or deactivating) it.
|
||||
Whoever has the admin-role assigned, can usually edit the related business-object but not deleting (or deactivating) it.
|
||||
|
||||
In most cases, the permissions to the 'view' operation is granted through the 'tenant' role.
|
||||
By this, all roles ob sub-objects, which are assigned to the 'tenent' role, are also granted to the 'admin'.
|
||||
The admin-role also comprises lesser roles, through which the view-permission is granted.
|
||||
|
||||
#### agent
|
||||
|
||||
The agent-role is not used in the examples of this document, because it's for more complex cases.
|
||||
It's usually granted to those roles and users who represent the related business-object, but are not allowed to edit it.
|
||||
|
||||
Other than the tenant-role, it usually offers broader visibility of sub-business-objects (joined entities).
|
||||
E.g. a package-admin is allowed to see the related debitor-business-object,
|
||||
but not its banking data.
|
||||
|
||||
#### tenant
|
||||
|
||||
The tenant-role is granted to everybody who needs to be able to view the business-object.
|
||||
The tenant-role is granted to everybody who needs to be able to view the business-object and (probably some) related business-objects.
|
||||
Usually all owners, admins and tenants of sub-objects get this role granted.
|
||||
|
||||
Some business-objects only have very limited data directly in the main business-object and store more sensitive data in special sub-objects (e.g. 'customer-details') to which tenants of sub-objects of the main-object (e.g. package admins) do not get view permission.
|
||||
|
||||
#### guest
|
||||
|
||||
Like the agent-role, the guest-role too is not used in the examples of this document, because it's for more complex cases.
|
||||
|
||||
If the guest-role exists, the view-permission is granted to it, instead of to the tenant-role.
|
||||
Other than the tenant-role, the guest-roles does never grant any roles of related objects.
|
||||
|
||||
Also, if the guest-role exists, the tenant-role receives the view-permission through the guest-role.
|
||||
|
||||
|
||||
### Referenced Business Objects and Role-Depreciation
|
||||
|
||||
A general rule is, if one business object *origin* references another object *target* (in other words: one database table joins another table),
|
||||
**and** a role for *origin* needs also access to *target*,
|
||||
then usually the *target* role is granted to the *origin* role which is one level lower.
|
||||
|
||||
E.g. the admin-role of the *origin* object gets granted the agent-role (or, if it does not exist, then the tenant-role) of the *target* object.
|
||||
|
||||
Following this rule, also implies, that the number of indirections to which visibility can be granted is limited.
|
||||
The admin-role of one object could be granted visibility to another object through at maximum 3 joins (agent->tenant->guest).
|
||||
|
||||
But not in all cases role-depreciation takes place.
|
||||
E.g. often a tenant-role is granted another tenant-role,
|
||||
because it should be again allowed to view sub-objects.
|
||||
The same for the agent-role, often it is granted another agent-role.
|
||||
|
||||
|
||||
## Example Users, Roles, Permissions and Business-Objects
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
package net.hostsharing.hsadminng.rbac.rbacrole;
|
||||
|
||||
public enum RbacRoleType {
|
||||
owner, admin, tenant
|
||||
owner, admin, agent, tenant, guest
|
||||
}
|
||||
|
@ -186,7 +186,7 @@ end; $$;
|
||||
|
||||
*/
|
||||
|
||||
create type RbacRoleType as enum ('owner', 'admin', 'tenant');
|
||||
create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest');
|
||||
|
||||
create table RbacRole
|
||||
(
|
||||
|
@ -2,47 +2,19 @@
|
||||
|
||||
-- ============================================================================
|
||||
-- PERMISSIONS
|
||||
--changeset rbac-role-builder-permissions:1 endDelimiter:--//
|
||||
--changeset rbac-role-builder-to-uuids:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
|
||||
*/
|
||||
|
||||
create type RbacPermissions as
|
||||
(
|
||||
permissionUuids uuid[]
|
||||
);
|
||||
|
||||
create or replace function grantingPermissions(forObjectUuid uuid, permitOps RbacOp[])
|
||||
returns RbacPermissions
|
||||
create or replace function toPermissionUuids(forObjectUuid uuid, permitOps RbacOp[])
|
||||
returns uuid[]
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return row (createPermissions(forObjectUuid, permitOps))::RbacPermissions;
|
||||
return createPermissions(forObjectUuid, permitOps);
|
||||
end; $$;
|
||||
|
||||
create or replace function withoutPermissions()
|
||||
returns RbacPermissions
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return row (array []::uuid[]);
|
||||
end; $$;
|
||||
|
||||
--//
|
||||
|
||||
--changeset rbac-role-builder-super-roles:1 endDelimiter:--//
|
||||
|
||||
/*
|
||||
|
||||
*/
|
||||
create type RbacSuperRoles as
|
||||
(
|
||||
roleUuids uuid[]
|
||||
);
|
||||
|
||||
create or replace function beneathRoles(roleDescriptors RbacRoleDescriptor[])
|
||||
returns RbacSuperRoles
|
||||
create or replace function toRoleUuids(roleDescriptors RbacRoleDescriptor[])
|
||||
returns uuid[]
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
@ -56,145 +28,22 @@ begin
|
||||
end if;
|
||||
end loop;
|
||||
|
||||
return row (superRoleUuids)::RbacSuperRoles;
|
||||
return superRoleUuids;
|
||||
end; $$;
|
||||
|
||||
create or replace function beneathRole(roleDescriptor RbacRoleDescriptor)
|
||||
returns RbacSuperRoles
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return beneathRoles(array [roleDescriptor]);
|
||||
end; $$;
|
||||
|
||||
create or replace function beneathRole(roleUuid uuid)
|
||||
returns RbacSuperRoles
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return row (array [roleUuid]::uuid[])::RbacSuperRoles;
|
||||
end; $$;
|
||||
|
||||
create or replace function asTopLevelRole()
|
||||
returns RbacSuperRoles
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return row (array []::uuid[])::RbacSuperRoles;
|
||||
end; $$;
|
||||
|
||||
--//
|
||||
|
||||
-- =================================================================
|
||||
-- SUB ROLES
|
||||
--changeset rbac-role-builder-sub-roles:1 endDelimiter:--//
|
||||
-- -----------------------------------------------------------------
|
||||
|
||||
/*
|
||||
|
||||
*/
|
||||
create type RbacSubRoles as
|
||||
(
|
||||
roleUuids uuid[]
|
||||
);
|
||||
|
||||
create or replace function beingItselfA(roleUuid uuid)
|
||||
returns RbacSubRoles
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return row (array [roleUuid]::uuid[])::RbacSubRoles;
|
||||
end; $$;
|
||||
|
||||
create or replace function beingItselfA(roleDescriptor RbacRoleDescriptor)
|
||||
returns RbacSubRoles
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return beingItselfA(getRoleId(roleDescriptor, 'fail'));
|
||||
end; $$;
|
||||
|
||||
create or replace function withSubRoles(roleDescriptors RbacRoleDescriptor[])
|
||||
returns RbacSubRoles
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
subRoleDescriptor RbacRoleDescriptor;
|
||||
subRoleUuids uuid[] := array []::uuid[];
|
||||
begin
|
||||
foreach subRoleDescriptor in array roleDescriptors
|
||||
loop
|
||||
if subRoleDescriptor is not null then
|
||||
subRoleUuids := subRoleUuids || getRoleId(subRoleDescriptor, 'fail');
|
||||
end if;
|
||||
end loop;
|
||||
|
||||
return row (subRoleUuids)::RbacSubRoles;
|
||||
end; $$;
|
||||
|
||||
create or replace function withoutSubRoles()
|
||||
returns RbacSubRoles
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return row (array []::uuid[]);
|
||||
end; $$;
|
||||
|
||||
--//
|
||||
|
||||
-- =================================================================
|
||||
-- USERS
|
||||
--changeset rbac-role-builder-users:1 endDelimiter:--//
|
||||
-- -----------------------------------------------------------------
|
||||
|
||||
/*
|
||||
*/
|
||||
create type RbacUsers as
|
||||
(
|
||||
userUuids uuid[]
|
||||
);
|
||||
|
||||
create or replace function withUsers(userNames varchar[])
|
||||
returns RbacUsers
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
userName varchar;
|
||||
userUuids uuid[] := array []::uuid[];
|
||||
begin
|
||||
foreach userName in array userNames
|
||||
loop
|
||||
userUuids := userUuids || getRbacUserId(userName, 'fail');
|
||||
end loop;
|
||||
|
||||
return row (userUuids)::RbacUsers;
|
||||
end; $$;
|
||||
|
||||
|
||||
create or replace function withUser(userName varchar, whenNotExists RbacWhenNotExists = 'fail')
|
||||
returns RbacUsers
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return row (array [getRbacUserId(userName, whenNotExists)]);
|
||||
end; $$;
|
||||
|
||||
--//
|
||||
|
||||
-- =================================================================
|
||||
-- CREATE ROLE
|
||||
--changeset rbac-role-builder-create-role:1 endDelimiter:--//
|
||||
-- -----------------------------------------------------------------
|
||||
|
||||
/*
|
||||
*/
|
||||
create or replace function createRole(
|
||||
create or replace function createRoleWithGrants(
|
||||
roleDescriptor RbacRoleDescriptor,
|
||||
permissions RbacPermissions,
|
||||
superRoles RbacSuperRoles,
|
||||
subRoles RbacSubRoles = null,
|
||||
users RbacUsers = null,
|
||||
grantingRoleUuid uuid = null
|
||||
permissions RbacOp[] = array[]::RbacOp[],
|
||||
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
||||
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
||||
userUuids uuid[] = array[]::uuid[],
|
||||
grantedByRole RbacRoleDescriptor = null
|
||||
)
|
||||
returns uuid
|
||||
called on null input
|
||||
@ -204,80 +53,37 @@ declare
|
||||
superRoleUuid uuid;
|
||||
subRoleUuid uuid;
|
||||
userUuid uuid;
|
||||
grantedByRoleUuid uuid;
|
||||
begin
|
||||
raise notice 'will createRole for %', roleDescriptor;
|
||||
roleUuid = createRole(roleDescriptor);
|
||||
roleUuid := createRole(roleDescriptor);
|
||||
|
||||
call grantPermissionsToRole(roleUuid, permissions.permissionUuids);
|
||||
|
||||
if superRoles is not null then
|
||||
foreach superRoleUuid in array superRoles.roleuUids
|
||||
loop
|
||||
call grantRoleToRole(roleUuid, superRoleUuid);
|
||||
end loop;
|
||||
if cardinality(permissions) >0 then
|
||||
call grantPermissionsToRole(roleUuid, toPermissionUuids(roleDescriptor.objectuuid, permissions));
|
||||
end if;
|
||||
|
||||
if subRoles is not null then
|
||||
foreach subRoleUuid in array subRoles.roleuUids
|
||||
loop
|
||||
call grantRoleToRole(subRoleUuid, roleUuid);
|
||||
end loop;
|
||||
end if;
|
||||
foreach superRoleUuid in array toRoleUuids(incomingSuperRoles)
|
||||
loop
|
||||
call grantRoleToRole(roleUuid, superRoleUuid);
|
||||
end loop;
|
||||
|
||||
if users is not null then
|
||||
foreach userUuid in array users.useruUids
|
||||
foreach subRoleUuid in array toRoleUuids(outgoingSubRoles)
|
||||
loop
|
||||
call grantRoleToRole(subRoleUuid, roleUuid);
|
||||
end loop;
|
||||
|
||||
if cardinality(userUuids) > 0 then
|
||||
if grantedByRole is null then
|
||||
raise exception 'to directly assign users to roles, grantingRole has to be given';
|
||||
end if;
|
||||
grantedByRoleUuid := getRoleId(grantedByRole, 'fail');
|
||||
foreach userUuid in array userUuids
|
||||
loop
|
||||
call grantRoleToUserUnchecked(grantingRoleUuid, roleUuid, userUuid);
|
||||
call grantRoleToUserUnchecked(grantedByRoleUuid, roleUuid, userUuid);
|
||||
end loop;
|
||||
end if;
|
||||
|
||||
return roleUuid;
|
||||
end; $$;
|
||||
|
||||
create or replace function createRole(
|
||||
roleDescriptor RbacRoleDescriptor,
|
||||
permissions RbacPermissions,
|
||||
users RbacUsers = null,
|
||||
grantingRoleUuid uuid = null
|
||||
)
|
||||
returns uuid
|
||||
called on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return createRole(roleDescriptor, permissions, null, null, users, grantingRoleUuid);
|
||||
end; $$;
|
||||
|
||||
create or replace function createRole(
|
||||
roleDescriptor RbacRoleDescriptor,
|
||||
permissions RbacPermissions,
|
||||
subRoles RbacSubRoles,
|
||||
users RbacUsers = null,
|
||||
grantingRoleUuid uuid = null
|
||||
)
|
||||
returns uuid
|
||||
called on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return createRole(roleDescriptor, permissions, null, subRoles, users, grantingRoleUuid);
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
-- =================================================================
|
||||
-- CREATE ROLE
|
||||
--changeset rbac-role-builder-GRANTED-BY-ROLE:1 endDelimiter:--//
|
||||
-- -----------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Used in role-builder-DSL to convert a role descriptor to it's uuid
|
||||
for use as `grantedByRoleUuid`.
|
||||
*/
|
||||
create or replace function grantedByRole(roleDescriptor RbacRoleDescriptor)
|
||||
returns uuid
|
||||
strict leakproof
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return getRoleId(roledescriptor, 'fail');
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
|
||||
|
@ -58,6 +58,14 @@ begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'admin');
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sAgent(entity %2$s)
|
||||
returns RbacRoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'agent');
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sTenant(entity %2$s)
|
||||
returns RbacRoleDescriptor
|
||||
language plpgsql
|
||||
@ -66,6 +74,14 @@ begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'tenant');
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sGuest(entity %2$s)
|
||||
returns RbacRoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return roleDescriptor('%2$s', entity.uuid, 'guest');
|
||||
end; $f$;
|
||||
|
||||
$sql$, prefix, targetTable);
|
||||
execute sql;
|
||||
end; $$;
|
||||
|
@ -35,28 +35,28 @@ begin
|
||||
end if;
|
||||
|
||||
-- the owner role with full access for Hostsharing administrators
|
||||
testCustomerOwnerUuid = createRole(
|
||||
testCustomerOwnerUuid = createRoleWithGrants(
|
||||
testCustomerOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(globalAdmin())
|
||||
permissions => array['*'],
|
||||
incomingSuperRoles => array[globalAdmin()]
|
||||
);
|
||||
|
||||
-- the admin role for the customer's admins, who can view and add products
|
||||
customerAdminUuid = createRole(
|
||||
customerAdminUuid = createRoleWithGrants(
|
||||
testCustomerAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
|
||||
permissions => array['view', 'add-package'],
|
||||
-- NO auto assume for customer owner to avoid exploding permissions for administrators
|
||||
withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
|
||||
grantedByRole(globalAdmin())
|
||||
userUuids => array[getRbacUserId(NEW.adminUserName, 'create')], -- implicitly ignored if null
|
||||
grantedByRole => globalAdmin()
|
||||
);
|
||||
|
||||
-- allow the customer owner role (thus administrators) to assume the customer admin role
|
||||
call grantRoleToRole(customerAdminUuid, testCustomerOwnerUuid, false);
|
||||
|
||||
-- the tenant role which later can be used by owners+admins of sub-objects
|
||||
perform createRole(
|
||||
perform createRoleWithGrants(
|
||||
testCustomerTenant(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view'])
|
||||
permissions => array['view']
|
||||
);
|
||||
|
||||
return NEW;
|
||||
|
@ -36,25 +36,25 @@ begin
|
||||
select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;
|
||||
|
||||
-- an owner role is created and assigned to the customer's admin role
|
||||
packageOwnerRoleUuid = createRole(
|
||||
testPackageOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(testCustomerAdmin(parentCustomer))
|
||||
perform createRoleWithGrants(
|
||||
testPackageOwner(NEW),
|
||||
permissions => array ['*'],
|
||||
incomingSuperRoles => array[testCustomerAdmin(parentCustomer)]
|
||||
);
|
||||
|
||||
-- an owner role is created and assigned to the package owner role
|
||||
packageAdminRoleUuid = createRole(
|
||||
testPackageAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-domain']),
|
||||
beneathRole(packageOwnerRoleUuid)
|
||||
perform createRoleWithGrants(
|
||||
testPackageAdmin(NEW),
|
||||
permissions => array ['add-domain'],
|
||||
incomingSuperRoles => array[testPackageOwner(NEW)]
|
||||
);
|
||||
|
||||
-- and a package tenant role is created and assigned to the package admin as well
|
||||
perform createRole(
|
||||
testPackageTenant(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
||||
beneathRole(packageAdminRoleUuid),
|
||||
beingItselfA(testCustomerTenant(parentCustomer))
|
||||
perform createRoleWithGrants(
|
||||
testPackageTenant(NEW),
|
||||
permissions => array['view'],
|
||||
incomingsuperroles => array[testPackageAdmin(NEW)],
|
||||
outgoingSubRoles => array[testCustomerTenant(parentCustomer)]
|
||||
);
|
||||
|
||||
return NEW;
|
||||
|
@ -26,10 +26,10 @@ begin
|
||||
return domainTenantRoleUuid;
|
||||
end if;
|
||||
|
||||
return createRole(
|
||||
return createRoleWithGrants(
|
||||
domainTenantRoleDesc,
|
||||
grantingPermissions(forObjectUuid => domain.uuid, permitOps => array ['view']),
|
||||
beneathRole(testdomainAdmin(domain))
|
||||
permissions => array['view'],
|
||||
incomingSuperRoles => array[testdomainAdmin(domain)]
|
||||
);
|
||||
end; $$;
|
||||
--//
|
||||
@ -48,8 +48,6 @@ create or replace function createRbacRulesForTestDomain()
|
||||
strict as $$
|
||||
declare
|
||||
parentPackage test_package;
|
||||
domainOwnerRoleId uuid;
|
||||
domainAdminRoleId uuid;
|
||||
begin
|
||||
if TG_OP <> 'INSERT' then
|
||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||
@ -58,18 +56,18 @@ begin
|
||||
select * from test_package where uuid = NEW.packageUuid into parentPackage;
|
||||
|
||||
-- an owner role is created and assigned to the package's admin group
|
||||
domainOwnerRoleId = createRole(
|
||||
testdomainOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(testPackageAdmin(parentPackage))
|
||||
perform createRoleWithGrants(
|
||||
testDomainOwner(NEW),
|
||||
permissions => array['*'],
|
||||
incomingSuperRoles => array[testPackageAdmin(parentPackage)]
|
||||
);
|
||||
|
||||
-- and a domain admin role is created and assigned to the domain owner as well
|
||||
domainAdminRoleId = createRole(
|
||||
testdomainAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||
beneathRole(domainOwnerRoleId),
|
||||
beingItselfA(testPackageTenant(parentPackage))
|
||||
perform createRoleWithGrants(
|
||||
testDomainAdmin(NEW),
|
||||
permissions => array['edit'],
|
||||
incomingSuperRoles => array[testDomainOwner(NEW)],
|
||||
outgoingSubRoles => array[testPackageTenant(parentPackage)]
|
||||
);
|
||||
|
||||
-- a tenent role is only created on demand
|
||||
|
@ -34,28 +34,29 @@ begin
|
||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||
end if;
|
||||
|
||||
-- the owner role with full access for the creator assigned to the current user
|
||||
ownerRole := createRole(
|
||||
hsOfficeContactOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(globalAdmin()),
|
||||
withoutSubRoles(),
|
||||
withUser(currentUser()), -- TODO.spec: Who is owner of a new contact?
|
||||
grantedByRole(globalAdmin())
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeContactOwner(NEW),
|
||||
permissions => array['*'],
|
||||
incomingSuperRoles => array[globalAdmin()],
|
||||
userUuids => array[currentUserUuid()],
|
||||
grantedByRole => globalAdmin()
|
||||
);
|
||||
|
||||
-- the tenant role for those related users who can view the data
|
||||
adminRole := createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeContactAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||
beneathRole(ownerRole)
|
||||
permissions => array['edit'],
|
||||
incomingSuperRoles => array[hsOfficeContactOwner(NEW)]
|
||||
);
|
||||
|
||||
-- the tenant role for those related users who can view the data
|
||||
perform createRole(
|
||||
hsOfficeContactTenant(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
||||
beneathRole(adminRole)
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeContactTenant(NEW),
|
||||
incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
|
||||
);
|
||||
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeContactGuest(NEW),
|
||||
permissions => array['view'],
|
||||
incomingSuperRoles => array[hsOfficeContactTenant(NEW)]
|
||||
);
|
||||
|
||||
return NEW;
|
||||
|
@ -24,36 +24,34 @@ create or replace function createRbacRolesForHsOfficePerson()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
ownerRole uuid;
|
||||
adminRole uuid;
|
||||
begin
|
||||
if TG_OP <> 'INSERT' then
|
||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||
end if;
|
||||
|
||||
-- the owner role with full access for the creator assigned to the current user
|
||||
ownerRole := createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePersonOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(globalAdmin()),
|
||||
withoutSubRoles(),
|
||||
withUser(currentUser()), -- TODO.spec: Who is owner of a new person?
|
||||
grantedByRole(globalAdmin())
|
||||
permissions => array['*'],
|
||||
incomingSuperRoles => array[globalAdmin()],
|
||||
userUuids => array[currentUserUuid()],
|
||||
grantedByRole => globalAdmin()
|
||||
);
|
||||
|
||||
-- the tenant role for those related users who can view the data
|
||||
adminRole := createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePersonAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||
beneathRole(ownerRole)
|
||||
permissions => array['edit'],
|
||||
incomingSuperRoles => array[hsOfficePersonOwner(NEW)]
|
||||
);
|
||||
|
||||
-- the tenant role for those related users who can view the data
|
||||
perform createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePersonTenant(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
||||
beneathRole(adminRole)
|
||||
incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
|
||||
);
|
||||
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePersonGuest(NEW),
|
||||
permissions => array['view'],
|
||||
incomingSuperRoles => array[hsOfficePersonTenant(NEW)]
|
||||
);
|
||||
|
||||
return NEW;
|
||||
|
@ -0,0 +1,66 @@
|
||||
### hs_office_partner RBAC
|
||||
|
||||
```mermaid
|
||||
flowchart TB
|
||||
|
||||
subgraph global
|
||||
style global fill:#eee
|
||||
|
||||
role:global.admin[global.admin]
|
||||
end
|
||||
|
||||
subgraph hsOfficeContact
|
||||
direction TB
|
||||
style hsOfficeContact fill:#eee
|
||||
|
||||
role:hsOfficeContact.admin[contact.admin]
|
||||
--> role:hsOfficeContact.tenant[contact.tenant]
|
||||
--> role:hsOfficeContact.guest[contact.guest]
|
||||
end
|
||||
|
||||
subgraph hsOfficePerson
|
||||
direction TB
|
||||
style hsOfficePerson fill:#eee
|
||||
|
||||
role:hsOfficePerson.admin[person.admin]
|
||||
--> role:hsOfficePerson.tenant[person.tenant]
|
||||
--> role:hsOfficePerson.guest[person.guest]
|
||||
end
|
||||
|
||||
subgraph hsOfficePartner
|
||||
|
||||
role:hsOfficePartner.owner[partner.owner]
|
||||
%% permissions
|
||||
role:hsOfficePartner.owner --> perm:hsOfficePartner.*{{partner.*}}
|
||||
%% incoming
|
||||
role:global.admin ---> role:hsOfficePartner.owner
|
||||
|
||||
role:hsOfficePartner.admin[partner.admin]
|
||||
%% permissions
|
||||
role:hsOfficePartner.admin --> perm:hsOfficePartner.edit{{partner.edit}}
|
||||
%% incoming
|
||||
role:hsOfficePartner.owner ---> role:hsOfficePartner.admin
|
||||
%% outgoing
|
||||
role:hsOfficePartner.admin --> role:hsOfficePerson.tenant
|
||||
role:hsOfficePartner.admin --> role:hsOfficeContact.tenant
|
||||
|
||||
role:hsOfficePartner.agent[partner.agent]
|
||||
%% incoming
|
||||
role:hsOfficePartner.admin ---> role:hsOfficePartner.agent
|
||||
role:hsOfficePerson.admin --> role:hsOfficePartner.agent
|
||||
role:hsOfficeContact.admin --> role:hsOfficePartner.agent
|
||||
|
||||
role:hsOfficePartner.tenant[partner.tenant]
|
||||
%% incoming
|
||||
role:hsOfficePartner.agent --> role:hsOfficePartner.tenant
|
||||
%% outgoing
|
||||
role:hsOfficePartner.tenant --> role:hsOfficePerson.guest
|
||||
role:hsOfficePartner.tenant --> role:hsOfficeContact.guest
|
||||
|
||||
role:hsOfficePartner.guest[partner.guest]
|
||||
%% permissions
|
||||
role:hsOfficePartner.guest --> perm:hsOfficePartner.view{{partner.view}}
|
||||
%% incoming
|
||||
role:hsOfficePartner.tenant --> role:hsOfficePartner.guest
|
||||
end
|
||||
```
|
@ -28,46 +28,56 @@ create or replace function hsOfficePartnerRbacRolesTrigger()
|
||||
strict as $$
|
||||
declare
|
||||
hsOfficePartnerTenant RbacRoleDescriptor;
|
||||
ownerRole uuid;
|
||||
adminRole uuid;
|
||||
oldPerson hs_office_person;
|
||||
newPerson hs_office_person;
|
||||
oldContact hs_office_contact;
|
||||
newContact hs_office_contact;
|
||||
begin
|
||||
|
||||
hsOfficePartnerTenant := hsOfficePartnerTenant(NEW);
|
||||
|
||||
select * from hs_office_person as p where p.uuid = NEW.personUuid into newPerson;
|
||||
select * from hs_office_contact as c where c.uuid = NEW.contactUuid into newContact;
|
||||
|
||||
if TG_OP = 'INSERT' then
|
||||
|
||||
-- the owner role with full access for the global admins
|
||||
ownerRole = createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePartnerOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(globalAdmin())
|
||||
permissions => array['*'],
|
||||
incomingSuperRoles => array[globalAdmin()]
|
||||
);
|
||||
|
||||
-- the admin role with full access for owner
|
||||
adminRole = createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePartnerAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||
beneathRole(ownerRole)
|
||||
permissions => array['edit'],
|
||||
incomingSuperRoles => array[
|
||||
hsOfficePartnerOwner(NEW)],
|
||||
outgoingSubRoles => array[
|
||||
hsOfficePersonTenant(newPerson),
|
||||
hsOfficeContactTenant(newContact)]
|
||||
);
|
||||
|
||||
-- the tenant role for those related users who can view the data
|
||||
perform createRole(
|
||||
hsOfficePartnerTenant,
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
||||
beneathRoles(array[
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePartnerAgent(NEW),
|
||||
incomingSuperRoles => array[
|
||||
hsOfficePartnerAdmin(NEW),
|
||||
hsOfficePersonAdmin(newPerson),
|
||||
hsOfficeContactAdmin(newContact)]),
|
||||
withSubRoles(array[
|
||||
hsOfficePersonTenant(newPerson),
|
||||
hsOfficeContactTenant(newContact)])
|
||||
hsOfficeContactAdmin(newContact)]
|
||||
);
|
||||
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePartnerTenant(NEW),
|
||||
incomingSuperRoles => array[
|
||||
hsOfficePartnerAgent(NEW)],
|
||||
outgoingSubRoles => array[
|
||||
hsOfficePersonGuest(newPerson),
|
||||
hsOfficeContactGuest(newContact)]
|
||||
);
|
||||
|
||||
|
||||
perform createRoleWithGrants(
|
||||
hsOfficePartnerGuest(NEW),
|
||||
permissions => array['view'],
|
||||
incomingSuperRoles => array[
|
||||
hsOfficePartnerTenant(NEW)]
|
||||
);
|
||||
|
||||
elsif TG_OP = 'UPDATE' then
|
||||
@ -75,21 +85,27 @@ begin
|
||||
if OLD.personUuid <> NEW.personUuid then
|
||||
select * from hs_office_person as p where p.uuid = OLD.personUuid into oldPerson;
|
||||
|
||||
call revokeRoleFromRole( hsOfficePartnerTenant, hsOfficePersonAdmin(oldPerson) );
|
||||
call grantRoleToRole( hsOfficePartnerTenant, hsOfficePersonAdmin(newPerson) );
|
||||
|
||||
call revokeRoleFromRole( hsOfficePersonTenant(oldPerson), hsOfficePartnerTenant );
|
||||
call grantRoleToRole( hsOfficePersonTenant(newPerson), hsOfficePartnerTenant );
|
||||
call revokeRoleFromRole(hsOfficePersonTenant(oldPerson), hsOfficePartnerAdmin(OLD));
|
||||
call grantRoleToRole(hsOfficePersonTenant(newPerson), hsOfficePartnerAdmin(NEW));
|
||||
|
||||
call revokeRoleFromRole(hsOfficePartnerAgent(OLD), hsOfficePersonAdmin(oldPerson));
|
||||
call grantRoleToRole(hsOfficePartnerAgent(NEW), hsOfficePersonAdmin(newPerson));
|
||||
|
||||
call revokeRoleFromRole(hsOfficePersonGuest(oldPerson), hsOfficePartnerTenant(OLD));
|
||||
call grantRoleToRole(hsOfficePersonGuest(newPerson), hsOfficePartnerTenant(NEW));
|
||||
end if;
|
||||
|
||||
if OLD.contactUuid <> NEW.contactUuid then
|
||||
select * from hs_office_contact as c where c.uuid = OLD.contactUuid into oldContact;
|
||||
|
||||
call revokeRoleFromRole( hsOfficePartnerTenant, hsOfficeContactAdmin(oldContact) );
|
||||
call grantRoleToRole( hsOfficePartnerTenant, hsOfficeContactAdmin(newContact) );
|
||||
call revokeRoleFromRole(hsOfficeContactTenant(oldContact), hsOfficePartnerAdmin(OLD));
|
||||
call grantRoleToRole(hsOfficeContactTenant(newContact), hsOfficePartnerAdmin(NEW));
|
||||
|
||||
call revokeRoleFromRole( hsOfficeContactTenant(oldContact), hsOfficePartnerTenant );
|
||||
call grantRoleToRole( hsOfficeContactTenant(newContact), hsOfficePartnerTenant );
|
||||
call revokeRoleFromRole(hsOfficePartnerAgent(OLD), hsOfficeContactAdmin(oldContact));
|
||||
call grantRoleToRole(hsOfficePartnerAgent(NEW), hsOfficeContactAdmin(newContact));
|
||||
|
||||
call revokeRoleFromRole(hsOfficeContactGuest(oldContact), hsOfficePartnerTenant(OLD));
|
||||
call grantRoleToRole(hsOfficeContactGuest(newContact), hsOfficePartnerTenant(NEW));
|
||||
end if;
|
||||
else
|
||||
raise exception 'invalid usage of TRIGGER';
|
||||
|
@ -0,0 +1,192 @@
|
||||
### hs_office_relationship RBAC
|
||||
|
||||
```mermaid
|
||||
|
||||
flowchart TB
|
||||
|
||||
subgraph global
|
||||
style global fill:#eee
|
||||
|
||||
role:global.admin[global.admin]
|
||||
end
|
||||
|
||||
subgraph hsOfficeContact
|
||||
direction TB
|
||||
style hsOfficeContact fill:#eee
|
||||
|
||||
role:hsOfficeContact.admin[contact.admin]
|
||||
--> role:hsOfficeContact.tenant[contact.tenant]
|
||||
--> role:hsOfficeContact.guest[contact.guest]
|
||||
end
|
||||
|
||||
subgraph hsOfficePerson
|
||||
direction TB
|
||||
style hsOfficePerson fill:#eee
|
||||
|
||||
role:hsOfficePerson.admin[person.admin]
|
||||
--> role:hsOfficePerson.tenant[person.tenant]
|
||||
--> role:hsOfficePerson.guest[person.guest]
|
||||
end
|
||||
|
||||
subgraph hsOfficeRelationship
|
||||
|
||||
role:hsOfficePerson#relAnchor.admin[person#anchor.admin]
|
||||
--- role:hsOfficePerson.admin
|
||||
|
||||
role:hsOfficeRelationship.owner[relationship.owner]
|
||||
%% permissions
|
||||
role:hsOfficeRelationship.owner --> perm:hsOfficeRelationship.*{{relationship.*}}
|
||||
%% incoming
|
||||
role:global.admin ---> role:hsOfficeRelationship.owner
|
||||
role:hsOfficePersonAdmin#relAnchor.admin
|
||||
end
|
||||
```
|
||||
|
||||
if TG_OP = 'INSERT' then
|
||||
|
||||
-- the owner role with full access for admins of the relAnchor global admins
|
||||
ownerRole = createRole(
|
||||
hsOfficeRelationshipOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRoles(array[
|
||||
globalAdmin(),
|
||||
hsOfficePersonAdmin(newRelAnchor)])
|
||||
);
|
||||
|
||||
-- the admin role with full access for the owner
|
||||
adminRole = createRole(
|
||||
hsOfficeRelationshipAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||
beneathRole(ownerRole)
|
||||
);
|
||||
|
||||
-- the tenant role for those related users who can view the data
|
||||
perform createRole(
|
||||
hsOfficeRelationshipTenant,
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
||||
beneathRoles(array[
|
||||
hsOfficePersonAdmin(newRelAnchor),
|
||||
hsOfficePersonAdmin(newRelHolder),
|
||||
hsOfficeContactAdmin(newContact)]),
|
||||
withSubRoles(array[
|
||||
hsOfficePersonTenant(newRelAnchor),
|
||||
hsOfficePersonTenant(newRelHolder),
|
||||
hsOfficeContactTenant(newContact)])
|
||||
);
|
||||
|
||||
-- anchor and holder admin roles need each others tenant role
|
||||
-- to be able to see the joined relationship
|
||||
call grantRoleToRole(hsOfficePersonTenant(newRelAnchor), hsOfficePersonAdmin(newRelHolder));
|
||||
call grantRoleToRole(hsOfficePersonTenant(newRelHolder), hsOfficePersonAdmin(newRelAnchor));
|
||||
call grantRoleToRoleIfNotNull(hsOfficePersonTenant(newRelHolder), hsOfficeContactAdmin(newContact));
|
||||
|
||||
elsif TG_OP = 'UPDATE' then
|
||||
|
||||
if OLD.contactUuid <> NEW.contactUuid then
|
||||
-- nothing but the contact can be updated,
|
||||
-- in other cases, a new relationship needs to be created and the old updated
|
||||
|
||||
select * from hs_office_contact as c where c.uuid = OLD.contactUuid into oldContact;
|
||||
|
||||
call revokeRoleFromRole( hsOfficeRelationshipTenant, hsOfficeContactAdmin(oldContact) );
|
||||
call grantRoleToRole( hsOfficeRelationshipTenant, hsOfficeContactAdmin(newContact) );
|
||||
|
||||
call revokeRoleFromRole( hsOfficeContactTenant(oldContact), hsOfficeRelationshipTenant );
|
||||
call grantRoleToRole( hsOfficeContactTenant(newContact), hsOfficeRelationshipTenant );
|
||||
end if;
|
||||
else
|
||||
raise exception 'invalid usage of TRIGGER';
|
||||
end if;
|
||||
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
An AFTER INSERT TRIGGER which creates the role structure for a new customer.
|
||||
*/
|
||||
create trigger createRbacRolesForHsOfficeRelationship_Trigger
|
||||
after insert
|
||||
on hs_office_relationship
|
||||
for each row
|
||||
execute procedure hsOfficeRelationshipRbacRolesTrigger();
|
||||
|
||||
/*
|
||||
An AFTER UPDATE TRIGGER which updates the role structure of a customer.
|
||||
*/
|
||||
create trigger updateRbacRolesForHsOfficeRelationship_Trigger
|
||||
after update
|
||||
on hs_office_relationship
|
||||
for each row
|
||||
execute procedure hsOfficeRelationshipRbacRolesTrigger();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-office-relationship-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call generateRbacIdentityView('hs_office_relationship', $idName$
|
||||
(select idName from hs_office_person_iv p where p.uuid = target.relAnchorUuid)
|
||||
|| '-with-' || target.relType || '-' ||
|
||||
(select idName from hs_office_person_iv p where p.uuid = target.relHolderUuid)
|
||||
$idName$);
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-office-relationship-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call generateRbacRestrictedView('hs_office_relationship',
|
||||
'(select idName from hs_office_person_iv p where p.uuid = target.relHolderUuid)',
|
||||
$updates$
|
||||
contactUuid = new.contactUuid
|
||||
$updates$);
|
||||
--//
|
||||
|
||||
-- TODO: exception if one tries to amend any other column
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-office-relationship-rbac-NEW-RELATHIONSHIP:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Creates a global permission for new-relationship and assigns it to the hostsharing admins role.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
addCustomerPermissions uuid[];
|
||||
globalObjectUuid uuid;
|
||||
globalAdminRoleUuid uuid ;
|
||||
begin
|
||||
call defineContext('granting global new-relationship permission to global admin role', null, null, null);
|
||||
|
||||
globalAdminRoleUuid := findRoleId(globalAdmin());
|
||||
globalObjectUuid := (select uuid from global);
|
||||
addCustomerPermissions := createPermissions(globalObjectUuid, array ['new-relationship']);
|
||||
call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Used by the trigger to prevent the add-customer to current user respectively assumed roles.
|
||||
*/
|
||||
create or replace function addHsOfficeRelationshipNotAllowedForCurrentSubjects()
|
||||
returns trigger
|
||||
language PLPGSQL
|
||||
as $$
|
||||
begin
|
||||
raise exception '[403] new-relationship not permitted for %',
|
||||
array_to_string(currentSubjects(), ';', 'null');
|
||||
end; $$;
|
||||
|
||||
/**
|
||||
Checks if the user or assumed roles are allowed to create a new customer.
|
||||
*/
|
||||
create trigger hs_office_relationship_insert_trigger
|
||||
before insert
|
||||
on hs_office_relationship
|
||||
for each row
|
||||
-- TODO.spec: who is allowed to create new relationships
|
||||
when ( not hasAssumedRole() )
|
||||
execute procedure addHsOfficeRelationshipNotAllowedForCurrentSubjects();
|
||||
--//
|
||||
|
@ -28,8 +28,6 @@ create or replace function hsOfficeRelationshipRbacRolesTrigger()
|
||||
strict as $$
|
||||
declare
|
||||
hsOfficeRelationshipTenant RbacRoleDescriptor;
|
||||
ownerRole uuid;
|
||||
adminRole uuid;
|
||||
newRelAnchor hs_office_person;
|
||||
newRelHolder hs_office_person;
|
||||
oldContact hs_office_contact;
|
||||
@ -44,38 +42,38 @@ begin
|
||||
|
||||
if TG_OP = 'INSERT' then
|
||||
|
||||
-- the owner role with full access for admins of the relAnchor global admins
|
||||
ownerRole = createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeRelationshipOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRoles(array[
|
||||
permissions => array['*'],
|
||||
incomingSuperRoles => array[
|
||||
globalAdmin(),
|
||||
hsOfficePersonAdmin(newRelAnchor)])
|
||||
hsOfficePersonAdmin(newRelAnchor)]
|
||||
);
|
||||
|
||||
-- the admin role with full access for the owner
|
||||
adminRole = createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeRelationshipAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||
beneathRole(ownerRole)
|
||||
permissions => array['edit'],
|
||||
incomingSuperRoles => array[hsOfficeRelationshipOwner(NEW)]
|
||||
);
|
||||
|
||||
-- the tenant role for those related users who can view the data
|
||||
perform createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeRelationshipTenant,
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
||||
beneathRoles(array[
|
||||
permissions => array['view'],
|
||||
incomingSuperRoles => array[
|
||||
hsOfficeRelationshipAdmin(NEW),
|
||||
hsOfficePersonAdmin(newRelAnchor),
|
||||
hsOfficePersonAdmin(newRelHolder),
|
||||
hsOfficeContactAdmin(newContact)]),
|
||||
withSubRoles(array[
|
||||
hsOfficeContactAdmin(newContact)],
|
||||
outgoingSubRoles => array[
|
||||
hsOfficePersonTenant(newRelAnchor),
|
||||
hsOfficePersonTenant(newRelHolder),
|
||||
hsOfficeContactTenant(newContact)])
|
||||
hsOfficeContactTenant(newContact)]
|
||||
);
|
||||
|
||||
-- anchor and holder admin roles need each others tenant role
|
||||
-- to be able to see the joined relationship
|
||||
-- TODO: this can probably be avoided through agent+guest roles
|
||||
call grantRoleToRole(hsOfficePersonTenant(newRelAnchor), hsOfficePersonAdmin(newRelHolder));
|
||||
call grantRoleToRole(hsOfficePersonTenant(newRelHolder), hsOfficePersonAdmin(newRelAnchor));
|
||||
call grantRoleToRoleIfNotNull(hsOfficePersonTenant(newRelHolder), hsOfficeContactAdmin(newContact));
|
||||
|
@ -3,41 +3,38 @@
|
||||
```mermaid
|
||||
flowchart TB
|
||||
|
||||
%% ---------- generated start: ----------
|
||||
|
||||
subgraph global
|
||||
style hsOfficeBankAccount fill: #e9f7ef
|
||||
|
||||
role:global.admin[global.admin]
|
||||
end
|
||||
|
||||
subgraph context
|
||||
user:current([current])
|
||||
subgraph hsOfficeBankAccount
|
||||
direction TB
|
||||
style hsOfficeBankAccount fill: #e9f7ef
|
||||
|
||||
user:hsOfficeBankAccount.creator([bankAccount.creator])
|
||||
|
||||
role:hsOfficeBankAccount.owner[[bankAccount.owner]]
|
||||
%% permissions
|
||||
role:hsOfficeBankAccount.owner --> perm:hsOfficeBankAccount.*{{hsOfficeBankAccount.delete}}
|
||||
%% incoming
|
||||
role:global.admin --> role:hsOfficeBankAccount.owner
|
||||
user:hsOfficeBankAccount.creator ---> role:hsOfficeBankAccount.owner
|
||||
|
||||
role:hsOfficeBankAccount.admin[[bankAccount.admin]]
|
||||
%% incoming
|
||||
role:hsOfficeBankAccount.owner ---> role:hsOfficeBankAccount.admin
|
||||
|
||||
role:hsOfficeBankAccount.tenant[[bankAccount.tenant]]
|
||||
%% incoming
|
||||
role:hsOfficeBankAccount.admin ---> role:hsOfficeBankAccount.tenant
|
||||
|
||||
role:hsOfficeBankAccount.guest[[bankAccount.guest]]
|
||||
%% permissions
|
||||
role:hsOfficeBankAccount.guest --> perm:hsOfficeBankAccount.view{{hsOfficeBankAccount.view}}
|
||||
%% incoming
|
||||
role:hsOfficeBankAccount.tenant ---> role:hsOfficeBankAccount.guest
|
||||
end
|
||||
|
||||
subgraph bankaccount
|
||||
|
||||
subgraph roles[ ]
|
||||
role:bankaccount.owner[[bankaccount.owner]]
|
||||
role:bankaccount.admin[[bankaccount.admin]]
|
||||
role:bankaccount.tenant[[bankaccount.tenant]]
|
||||
end
|
||||
|
||||
subgraph perms[ ]
|
||||
perm:bankaccount.delete{{bankaccount.delete}}
|
||||
perm:bankaccount.view{{bankaccount.view}}
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
%% ---------- generated end. ----------
|
||||
|
||||
role:bankaccount.owner --> perm:bankaccount.delete
|
||||
|
||||
role:global.admin --> role:bankaccount.owner
|
||||
user:current --> role:bankaccount.owner
|
||||
|
||||
role:bankaccount.owner --> role:bankaccount.admin
|
||||
|
||||
role:bankaccount.admin --> role:bankaccount.tenant
|
||||
role:bankaccount.tenant --> perm:bankaccount.view
|
||||
```
|
||||
|
||||
|
@ -26,40 +26,33 @@ create or replace function createRbacRolesForHsOfficeBankAccount()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
ownerRole uuid;
|
||||
adminRole uuid;
|
||||
begin
|
||||
if TG_OP <> 'INSERT' then
|
||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||
end if;
|
||||
|
||||
-- the owner role with full access for the creator assigned to the current user
|
||||
ownerRole := createRole(
|
||||
hsOfficeBankAccountOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['delete']),
|
||||
beneathRole(globalAdmin()),
|
||||
withoutSubRoles(),
|
||||
withUser(currentUser()), -- TODO.spec: Who is owner of a new bankaccount?
|
||||
grantedByRole(globalAdmin())
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeBankAccountOwner(NEW),
|
||||
permissions => array['delete'],
|
||||
incomingSuperRoles => array[globalAdmin()],
|
||||
userUuids => array[currentUserUuid()],
|
||||
grantedByRole => globalAdmin()
|
||||
);
|
||||
|
||||
-- the admin role for those related users who can view the data and related records
|
||||
adminRole := createRole(
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeBankAccountAdmin(NEW),
|
||||
-- Where bankaccounts can be created, assigned, re-assigned and deleted, they cannot be updated.
|
||||
-- Thus SQL UPDATE and 'edit' permission are being implemented.
|
||||
withoutPermissions(),
|
||||
beneathRole(ownerRole)
|
||||
incomingSuperRoles => array[hsOfficeBankAccountOwner(NEW)]
|
||||
);
|
||||
|
||||
-- TODO.spec: assumption can not be updated
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeBankAccountTenant(NEW),
|
||||
incomingSuperRoles => array[hsOfficeBankAccountAdmin(NEW)]
|
||||
);
|
||||
|
||||
-- the tenant role for those related users who can view the data
|
||||
perform createRole(
|
||||
hsOfficeBankAccountTenant(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
||||
beneathRole(adminRole)
|
||||
perform createRoleWithGrants(
|
||||
hsOfficeBankAccountGuest(NEW),
|
||||
permissions => array['view'],
|
||||
incomingSuperRoles => array[hsOfficeBankAccountTenant(NEW)]
|
||||
);
|
||||
|
||||
return NEW;
|
||||
|
@ -1,49 +1,208 @@
|
||||
### hs_office_debitor RBAC Roles
|
||||
|
||||
```mermaid
|
||||
flowchart TB;
|
||||
flowchart TB
|
||||
|
||||
subgraph bankaccount;
|
||||
subgraph global
|
||||
style global fill:#eee
|
||||
|
||||
role:global.admin[global.admin]
|
||||
end
|
||||
|
||||
%% oversimplified version for now
|
||||
%%
|
||||
%% Beware: role:debitor.tenant should NOT be granted role:bankaccount.tenent
|
||||
%% because otherwise, later in the development,
|
||||
%% e.g. package admins could see the debitors bank account,
|
||||
%% except if we do NOT use the debitor in the hosting super module.
|
||||
|
||||
role:bankaccount.tenant --> perm:bankaccount.view{{bankaccount.view}};
|
||||
end;
|
||||
|
||||
subgraph debitor[" "];
|
||||
direction TB;
|
||||
|
||||
role:debitor.owner[[debitor.owner]]
|
||||
role:debitor.owner --> perm:debitor.*{{debitor.*}};
|
||||
|
||||
role:debitor.admin[[debitor.admin]]
|
||||
%% super-roles
|
||||
role:debitor.owner --> role:debitor.admin;
|
||||
role:partner.admin --> role:debitor.admin;
|
||||
role:person.admin --> role:debitor.admin;
|
||||
role:contact.admin --> role:debitor.admin;
|
||||
%% sub-roles
|
||||
role:debitor.admin --> role:partner.tenant;
|
||||
role:debitor.admin --> role:person.tenant;
|
||||
role:debitor.admin --> role:contact.tenant;
|
||||
role:debitor.admin --> role:bankaccount.tenant;
|
||||
|
||||
role:debitor.tenant[[debitor.tenant]]
|
||||
role:debitor.tenant --> perm:debitor.view{{debitor.view}};
|
||||
%% super-roles
|
||||
role:debitor.admin --> role:debitor.tenant;
|
||||
%% sub-roles
|
||||
subgraph office
|
||||
style office fill:#eee
|
||||
|
||||
subgraph bankaccount
|
||||
style bankaccount fill: #e9f7ef
|
||||
|
||||
end;
|
||||
|
||||
subgraph global;
|
||||
role:global.admin --> role:debitor.owner;
|
||||
end;
|
||||
user:hsOfficeBankAccount.creator([bankaccount.creator])
|
||||
|
||||
role:hsOfficeBankAccount.owner[bankaccount.owner]
|
||||
%% permissions
|
||||
role:hsOfficeBankAccount.owner --> perm:hsOfficeBankAccount.*{{bankaccount.*}}
|
||||
%% incoming
|
||||
role:global.admin --> role:hsOfficeBankAccount.owner
|
||||
user:hsOfficeBankAccount.creator ---> role:hsOfficeBankAccount.owner
|
||||
|
||||
role:hsOfficeBankAccount.admin[bankaccount.admin]
|
||||
%% permissions
|
||||
role:hsOfficeBankAccount.admin --> perm:hsOfficeBankAccount.edit{{bankaccount.edit}}
|
||||
%% incoming
|
||||
role:hsOfficeBankAccount.owner ---> role:hsOfficeBankAccount.admin
|
||||
|
||||
role:hsOfficeBankAccount.tenant[bankaccount.tenant]
|
||||
%% incoming
|
||||
role:hsOfficeBankAccount.admin ---> role:hsOfficeBankAccount.tenant
|
||||
|
||||
role:hsOfficeBankAccount.guest[bankaccount.guest]
|
||||
%% permissions
|
||||
role:hsOfficeBankAccount.guest --> perm:hsOfficeBankAccount.view{{bankaccount.view}}
|
||||
%% incoming
|
||||
role:hsOfficeBankAccount.tenant ---> role:hsOfficeBankAccount.guest
|
||||
end
|
||||
|
||||
subgraph contact
|
||||
style contact fill: #e9f7ef
|
||||
|
||||
user:hsOfficeContact.creator([contact.creator])
|
||||
|
||||
role:hsOfficeContact.owner[contact.owner]
|
||||
%% permissions
|
||||
role:hsOfficeContact.owner --> perm:hsOfficeContact.*{{contact.*}}
|
||||
%% incoming
|
||||
role:global.admin --> role:hsOfficeContact.owner
|
||||
user:hsOfficeContact.creator ---> role:hsOfficeContact.owner
|
||||
|
||||
role:hsOfficeContact.admin[contact.admin]
|
||||
%% permissions
|
||||
role:hsOfficeContact.admin ---> perm:hsOfficeContact.edit{{contact.edit}}
|
||||
%% incoming
|
||||
role:hsOfficeContact.owner ---> role:hsOfficeContact.admin
|
||||
|
||||
role:hsOfficeContact.tenant[contact.tenant]
|
||||
%% incoming
|
||||
role:hsOfficeContact.admin ----> role:hsOfficeContact.tenant
|
||||
|
||||
role:hsOfficeContact.guest[contact.guest]
|
||||
%% permissions
|
||||
role:hsOfficeContact.guest --> perm:hsOfficeContact.view{{contact.view}}
|
||||
%% incoming
|
||||
role:hsOfficeContact.tenant ---> role:hsOfficeContact.guest
|
||||
end
|
||||
|
||||
subgraph partner-person
|
||||
|
||||
subgraph person
|
||||
style person fill: #e9f7ef
|
||||
|
||||
user:hsOfficePerson.creator([personcreator])
|
||||
|
||||
role:hsOfficePerson.owner[person.owner]
|
||||
%% permissions
|
||||
role:hsOfficePerson.owner --> perm:hsOfficePerson.*{{person.*}}
|
||||
%% incoming
|
||||
user:hsOfficePerson.creator ---> role:hsOfficePerson.owner
|
||||
role:global.admin --> role:hsOfficePerson.owner
|
||||
|
||||
role:hsOfficePerson.admin[person.admin]
|
||||
%% permissions
|
||||
role:hsOfficePerson.admin --> perm:hsOfficePerson.edit{{person.edit}}
|
||||
%% incoming
|
||||
role:hsOfficePerson.owner ---> role:hsOfficePerson.admin
|
||||
|
||||
role:hsOfficePerson.tenant[person.tenant]
|
||||
%% incoming
|
||||
role:hsOfficePerson.admin -----> role:hsOfficePerson.tenant
|
||||
|
||||
role:hsOfficePerson.guest[person.guest]
|
||||
%% permissions
|
||||
role:hsOfficePerson.guest --> perm:hsOfficePerson.edit{{person.view}}
|
||||
%% incoming
|
||||
role:hsOfficePerson.tenant ---> role:hsOfficePerson.guest
|
||||
end
|
||||
|
||||
subgraph partner
|
||||
|
||||
role:hsOfficePartner.owner[partner.owner]
|
||||
%% permissions
|
||||
role:hsOfficePartner.owner --> perm:hsOfficePartner.*{{partner.*}}
|
||||
%% incoming
|
||||
role:global.admin ---> role:hsOfficePartner.owner
|
||||
|
||||
role:hsOfficePartner.admin[partner.admin]
|
||||
%% permissions
|
||||
role:hsOfficePartner.admin --> perm:hsOfficePartner.edit{{partner.edit}}
|
||||
%% incoming
|
||||
role:hsOfficePartner.owner ---> role:hsOfficePartner.admin
|
||||
%% outgoing
|
||||
role:hsOfficePartner.admin --> role:hsOfficePerson.tenant
|
||||
role:hsOfficePartner.admin --> role:hsOfficeContact.tenant
|
||||
|
||||
role:hsOfficePartner.agent[partner.agent]
|
||||
%% incoming
|
||||
role:hsOfficePartner.admin --> role:hsOfficePartner.agent
|
||||
role:hsOfficePerson.admin --> role:hsOfficePartner.agent
|
||||
role:hsOfficeContact.admin --> role:hsOfficePartner.agent
|
||||
|
||||
role:hsOfficePartner.tenant[partner.tenant]
|
||||
%% incoming
|
||||
role:hsOfficePartner.agent ---> role:hsOfficePartner.tenant
|
||||
%% outgoing
|
||||
role:hsOfficePartner.tenant --> role:hsOfficePerson.guest
|
||||
role:hsOfficePartner.tenant --> role:hsOfficeContact.guest
|
||||
|
||||
role:hsOfficePartner.guest[partner.guest]
|
||||
%% permissions
|
||||
role:hsOfficePartner.guest --> perm:hsOfficePartner.view{{partner.view}}
|
||||
%% incoming
|
||||
role:hsOfficePartner.tenant ---> role:hsOfficePartner.guest
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
subgraph debitor
|
||||
style debitor stroke-width:6px
|
||||
|
||||
user:hsOfficeDebitor.creator([debitor.creator])
|
||||
%% created by role
|
||||
user:hsOfficeDebitor.creator --> role:hsOfficePartner.agent
|
||||
|
||||
role:hsOfficeDebitor.owner[debitor.owner]
|
||||