Shared roles are global roles created with attribute shared=true.
They are propagated into all tenants and can be assigned and unassigned in each tenant independently.
The propagated roles look like regular tenant roles to the end-user. E.g. a shared role called */auth-admin is propagated as mytenant/auth-admin, yourtenant/auth-admin etc.
Modifying shared roles requires superuser privileges (as with regular global roles).
Modifying the propagated tenant roles is not possible.
Tech details
Role service uses three types of RoleView class - global, shared and tenant - for listing, searching and getting the three different types of roles.
Todo
[ ] Create, list, get and delete shared roles.
[ ] Assign and unassign propagated roles.
[ ] Retrieve propagated roles assigned to requested credentials.
[ ] When a shared role is deleted, clean up the assignments of its propagated roles.
closes #357
Summary
shared=true
.*/auth-admin
is propagated asmytenant/auth-admin
,yourtenant/auth-admin
etc.Tech details
RoleView
class - global, shared and tenant - for listing, searching and getting the three different types of roles.Todo