Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Current »

Add your comments directly to the page. Include links to any relevant research, data, or feedback.

Status

IN PROGRESS

Impact

MEDIUM (core+api+ui) or HIGH (core+api+ui+gui)

Driver

Alessandro Domanico 

Approver

Alessandro Domanico

Stakeholders

Antonio Verni Niccolò Pasquetto Riccardo Costa Paurav Munshi Alessandro Falezza Andrei Dodu

Informed

Ilario Gavioli

Due date

Outcome

Option 1: RBAC

Background

At the moment the user’s permission schema is realized with four tables in the DB:

  • USERS: contains users and passwords

  • GROUPS: contains users’ groups

  • MENUITEM: contains all functionalities among menuitems, submenus and buttons

  • GROUPMENU: contains the associations between GROUPS and MENUITEM

This is ok for the Swing GUI, but in a REST application the workflow is slighty different

Relevant data

It would be nice to use the same DB tables, by adding new ones

Options considered

Option 1:

Option 2:

Description

RBAC

ABAC

Pros and cons

(plus) There’s a React guideline

(plus) It is already implemented

(minus) Doesn’t provide fine graned policies as ABAC

(plus) provides fine graned policies for accessing resources (see examples)

(minus) it requires a new complex architecture (see architecture)

Estimated cost

LOW

MEDIUM

Action items

  • To define a permissions’ schema pattern
  • To create a Jira issue with the specifications ( OP-727 - Getting issue details... STATUS )

Outcome

Different analysis led to the same conclusion: in order to improve (in the short-term) the actual permissions system in the web application (core+api+ui) with minimum changes it will be enough to develop the proposed solution (Paurav Munshi) which introduces:

  • a DB table for “Entitlements” (CRUD for each entity)

  • a DB table for “Group-Entitlements” definition (linked to the actual USERGROUP)

  • NICE TO HAVE a DB table for “User-Usergroup” association that allows multiple roles to the same user (it will affect also how the application works in non-web environment (core+gui)

  • No labels