Global roles will be also made available inside every tenant. E.g. */reader will also appear as mytenant/reader, yourtenant/reader etc.
These tenant roles will grant access to the same resources as their parent global role.
Global roles (e.g. */reader) are only assignable by superusers and grant resource access across all tenants, while the derived tenant roles (e.g. mytenant/reader) are assignable by tenant admins and grant resource access only within the specific tenant.
To consider
Should it be possible to overwrite such a role inside a tenant? E.g. to change the resources or the description of mytenant/reader without changing the global */reader.
What will happen if the global role grants access to global-only resource, e.g. authz:superuser?
Outline
*/reader
will also appear asmytenant/reader
,yourtenant/reader
etc.*/reader
) are only assignable by superusers and grant resource access across all tenants, while the derived tenant roles (e.g.mytenant/reader
) are assignable by tenant admins and grant resource access only within the specific tenant.To consider
mytenant/reader
without changing the global*/reader
.authz:superuser
?