search

skoruba / Duende.IdentityServer.Admin

The administration for the Duende IdentityServer and Asp.Net Core Identity ⚡
Apache License 2.0
549 stars 194 forks source link

Customisable admin roles #138

Open colin-freemarketfx opened 1 year ago

colin-freemarketfx commented 1 year ago

When I add a user as an admin, I have to give them access to everything.

I'd like to be able to configure multiple admin roles and limit the areas of the admin portal that are accessible based on the roles applied to the user.

I've checked the docs but I do apologise if I've missed an existing implementation.

skoruba commented 1 year ago

Hey, now it is one role for everything for simplicity. How do you suggest to split it? thx

colin-freemarketfx commented 1 year ago

I think you would have to keep the AdministrationRole setting for backwards compatibility, and it is nice for simplicity. The role having this would still have master-admin levels of permission, i.e. everything.

I would propose adding a policy and matching configuration setting, initially just for user settings (which selfishly is the main one we care about) but eventually for each controller/UI section, for instance:

UserAdministratorRoles - would specify a comma separated list of roles having access to the user read/write methods UserAdministrationPolicy - would be used in the authorise attribute

It surely must be possible to then feed the user's role(s) into Index.chtml to limit the visible options.

With a feature like this, we can give our first/second-line support access to support user's queries without totally giving away the keys to the kingdom 😁

skoruba commented 1 year ago

Sure, it makes sense - can you send a PR with this idea? thanks

colin-freemarketfx commented 1 year ago

I will, thanks. I'm on a few days leave but I've got a slot coming up in a couple weeks' time I could put something together.

skoruba commented 1 year ago

Great, looking forward

colin-freemarketfx commented 1 year ago

Hi @skoruba, I've made a start and I'd like to share a draft PR before I go too far down the line. However I don't have permission, could I get access please?

EDIT: you can probably tell I'm totally new to open source - I've since been informed I need to create a fork - a colleague is going to take me through it next week

image

This is the kind of idea that I have so far, first I'd like to block / allow access to certain areas of the ui on the front end:

image

Back end too, but I think this is not so critical as we're just implementing handrails rather than a security feature here:

image

The support policies are written to include admin, so if you have admin you have all the support roles:

image

Permissions can be given using a csv format, so you can combine some roles and limit others:

image

I think I see two phases:

  1. The work I've done so far, to outright limit certain parts of the UI
  2. A second phase with flags to make particular fields read only unless you're an admin

I'd be keen to hear what you think, sorry it's taken so long to get back on this 😅