Closed bethesque closed 3 years ago
bethesque
commented
3 years ago Having given this some more thought, I'm leaning towards leaving the team administrator role only being allowed to add/remove people from a team. The complications introduced by allowing a team admin to also modify a user's roles would lead to a highly complex piece of work that I don't think is a high priority for us at the moment, compared to things like bi-directional contracts.
mefellows
commented
3 years ago Having given this some more thought, I'm leaning towards leaving the team administrator role only being allowed to add/remove people from a team
That seems like a good starting point, and and worst, would be a subset of any future enhancement anyway.
mefellows
commented
3 years ago Feature launched: Team Administrators are now able to add/remove Users and Applications for their teamts.
See https://docs.pactflow.io/docs/permissions/permissions/#teammanageuuid for more.
Ideally, teams should be able to work autonomously, be able to invite users to Pactflow, and manage team members without having to go through a central administrator user.
Whether or not a team administrator should be able to assign roles to members in their team raises questions however. If we allowed team administrators to assign roles to users, we would have to prevent the possibility of privilege escalation (ie. a team admin assigning a user with "super admin" privileges).
Something that complicates the situation is that roles within Pactflow may be edited. Even if we were to disallow a team administrator from assigning the "Administrator" role to a user, if an organisation decided to make their own custom roles, there would currently be no way of logically preventing a team administrator from assigning a custom "super administrator" role to another user (or themselves).
Questions: