vlaurin
commented
3 years ago Pushing back to milestone 1.1.0 as organisation-level are not a requested feature at this time.
Open vlaurin opened 3 years ago
vlaurin
commented
3 years ago Pushing back to milestone 1.1.0 as organisation-level are not a requested feature at this time.
vlaurin
commented
3 years ago QuickCase current implementation relies on global roles defined as part of user metadata. However, when consumed to be applied, filtering is applied to filter out roles in the form caseworker-<orgId>* for which the organisation identified differs from the current organisation. In effect, this makes these roles organisation-specific. Roles not following the caseworker- pattern however are used and applied regardless of organisation, making them global.
By being implicit, the rule for selecting relevant roles is non-intuitive and favours mistakes in access control configuration. In addition, in a multi-tenant context, non-namespaced global roles could result in conflicts across tenants with the risk of access being granted beyond the tenant's organisation.
As such, the preferred route is to phase out global roles and entirely replace them by organisation-specific roles instead. As this is a breaking change, a transition period should be respected with both deprecated global roles and organisation roles being available and supported in parallel.
So far roles have been defined in a global way, through a top level claim. However, their format of
caseworker-<orgid>-...implies they should be organisation specific rather than global. This would more adequately fit a multi-tenant system.Add organisation-level roles and deprecate use of global roles.