This ticket changes a part of #73 that was introduced in the same release, release1.21.
The base-reader and base-endpoint-consumer roles create unnecessary risk when removing a tenant. There may be no fallout from deleting base-reader; however, if the base-endpoint-consumer role was deleted, all endpoint consumers within the environment would no longer be able to consume endpoints.
The permissions and roles granted to the base roles are to be transferred to each tenant's reader and endpoint consumer roles.
So long as the base roles are not deleted before the tenant's roles are updated, no immediate action will be required.
The base roles may be deleted from an environment once the roles of all tenants in the environment have been updated. There is no harm in leaving the base roles.
No user or service accounts need to be updated.
Document permissions will not be impacted (i.e., no documents should have directly received either of the base roles).
Scope of this ticket includes:
[x] Moving the base roles privileges and inherited roles to the associated roles within /src/main/ml-config/security/roles.
[x] Deleting the base roles.
[x] Updating the Remove a Tenant or Project section of lux-backend-deployment.md
This ticket changes a part of #73 that was introduced in the same release, release1.21.
The
base-reader
andbase-endpoint-consumer
roles create unnecessary risk when removing a tenant. There may be no fallout from deletingbase-reader
; however, if thebase-endpoint-consumer
role was deleted, all endpoint consumers within the environment would no longer be able to consume endpoints.The permissions and roles granted to the base roles are to be transferred to each tenant's reader and endpoint consumer roles.
So long as the base roles are not deleted before the tenant's roles are updated, no immediate action will be required.
The base roles may be deleted from an environment once the roles of all tenants in the environment have been updated. There is no harm in leaving the base roles.
No user or service accounts need to be updated.
Document permissions will not be impacted (i.e., no documents should have directly received either of the base roles).
Scope of this ticket includes:
/src/main/ml-config/security/roles
.