Confusing Roles and Groups UX for non-admin users

rolodato commented 1 month ago

Is your feature request related to a problem? Please describe.

This is what non-organisation-admin users see when visiting the Roles page:

This is the case even if the organisation does have custom roles. The message could be interpreted to mean "you (user) do not have any custom roles assigned to you", which can be confusing when troubleshooting permissions during onboarding. Only org admins can view the list of custom roles or perform any actions on them, so there is no reason non-admins should be able to see this page.

When viewing the Groups tab, non-admin users can see all groups in the organisation, even if they don't have admin permissions for them:

Clicking on a group that they are not admins of shows a spinner with no error message:

Describe the solution you'd like.

Hide or disable the Roles tab from users who are not organisation admins
Rename the Roles tab to "Custom Roles", to distinguish them from the built-in roles ("Organisation Admin" and "User")
Reword the message when no roles exist to "Your organisation does not have any custom roles" or similar
- While we're at it, reword the equivalent message for groups to "Your organisation does not have any groups", for consistency. This is a less redundant wording
Show an error message if trying to edit a group that a user is not an admin of

Optional - see alternatives below:

In the Groups tab, visually distinguish somehow which groups a user has permissions to edit or not. Don't allow editing groups that a user is not an admin of

Describe alternatives you've considered

For groups, it's debatable whether non-admin users should be able to see the full list of groups or not. Within large organisations, admins may want to hide the existence of certain groups from non-admins, either for privacy or to prevent information overload if there is a large amount of groups.

If we do decide to implement this, the Groups page should:

only list groups that the current user is an admin of, filtering at the API level (all groups for org admins or users with "manage groups" org permisisons; individual groups for group admins)
show a message like "Your organisation does not have any groups" to org admins or users with "manage groups" org permissions, and "You do not have permissions to manage any groups in your organisation" to others

Additional context

No response

kyle-ssg commented 3 days ago

@rolodato I think part of this is a duplicate of https://github.com/Flagsmith/flagsmith/issues/3784

RE the terminology "Custom Roles" this feels a bit confusing maybe there's a better phrase we could use

rolodato commented 3 days ago

Part of it is a duplicate, yes. Also sorry, this ticket is very poorly written now that I'm coming back to it.

"Custom role" is the best I could come up with when rewriting the RBAC documentation here: https://docs.flagsmith.com/system-administration/rbac. "Role" is currently an overloaded term for both of these things:

Organisation Administrator / User permissions, now called "built-in role"
Organisation-defined roles, now called called "custom role"

I'm open to suggestions for different names, can't think of anything better at the moment.

Flagsmith / flagsmith