OTARIS / MF-REST-API

The MetaHL Fabric REST API is an interface to any Hyperledger® Fabric network.
https://otaris.de/metahl-fabric/
Apache License 2.0
6 stars 2 forks source link

Add the ability to add new user roles (authorities) through the API itself #28

Open CodingSinceThe80s opened 3 years ago

CodingSinceThe80s commented 3 years ago

This is related to the requirement of the shipping order form for specific types of users (they should be customizable). Following is the user story formulation of this requirement:

As a dashboard operator I need to be able to define or change the existing roles without having to directly change the database in order to be able to signal upstream systems (currently through the token) which access control policies should be applied.

One can implement an additional role system in the upstream system, but it makes it really complex to map the roles there to the roles in the REST API and also make sure that the UI does not even attempt to give the user the impression that specific actions are possible.

dl-ota commented 3 years ago

Currently, adding new roles is indeed not possible and that is a great suggestion for an enhancement. It is however possible to change the linked (default) whitelists. So just in case, that this could already resolve an issue that you might have run into:

The role "ROLE_USER" is only linked to the "DEFAULT_READ_WHITELIST". The role "ROLE_MEMBER" and "ROLE_ADMIN" are additionally linked to "DEFAULT_WRITE_WHITELIST" and "ROLE_ADMIN" is furthermore linked to the "DEFAULT_ADMIN_WHITELIST". By using "linkFunctionToWhitelist" and "unlinkFunctionFromWhitelist" you can customize the available functions for each role by customizing the corresponding whitelist. Furthermore you can create new whitelists by calling "createWhitelist" and assign them to certain users via "linkUserToWhitelist".

If you simply want to change the role of a user from one default role to another, then you can call "setRole".

And maybe you can already tackle the issue "[...] also make sure that the UI does not even attempt to give the user the impression that specific actions are possible." by calling "getUserInfo". There you receive a list of all allowed function calls for the specified user.

So maybe this was already helpful. But enhancing the role system is a good idea in my eyes. 👍