Implement roles and permissions on algorithm and organization level

[anneschuth]

Description

Based on research ticket in click-up
The datamodel:

Organizations
└── Organization A
    ├── Organization Info
    ├── Organization Members
    └── Algorithms
        ├── Algorithm 1
        │   ├── Team
        │   └── Systemcard
        │       ├── AI Act Profile
        │       ├── Tasks
        │       ├── Requirements
        │       ├── Measures
        │       ├── Tools
        │       └── Models
        └── Algorithm 2
            ├── Team
            └── Systemcard
                └── ...
└── Organization B
    └── ...

The roles:

Id	Roles	Scope	Description
1	Maintainer Organization	Single organization and all its algorithms	Has full permissions and access to the entire organization
2	Member Organization	Single organization and all its algorithms	Can see everything in the organization, can create new algorithms
3	Viewer Organization	Single organization and all its algorithms	Can see everything in the organization but cannot edit anything
4	Maintainer Algorithm	Single algorithm within an organization	Has full permissions for specific algorithm
5	Member Algorithm	Single algorithm within an organization	Can edit specific algorithm
6	Viewer Algorithm	Single algorithm within an organization	Can view specific algorithm

The verbs:

1. List (Can only see items in lists, can't click on to or see any details (like a list of algorithms))
2. Read
3. Create
4. Update
5. Delete

• These verbs are incremental, allowing for a structured functional understanding of the permissions. For example, if a role is granted the permission to delete, it inherently includes the permissions to update, create, read, and list.
  However, this does not necessarily mean that this hierarchy must be used technically!

The permissions:

• Users must have one organization role (id = 1,2,3) per organization they belong to.

• Users can have one algorithm role (id = 4,5,6) per algorithm within organizations they belong to.

• Without an algorithm role, users can only list the algorithm within their organization.

• Without an organization role, users can only list the organizations.

• Users can have one organization role and multiple algorithm roles (one per algorithm) within that organization. Algorithm-level permissions override organization permissions for that specific algorithm.

• Permissions of the below table are structured hierarchically for the resources in the systemcard, starting with a baseline action such as "read," "update," or "delete." If additional details are provided for a resource, they indicate variations or exceptions to the baseline permission.

• The italic rows in the table represent all types of tasks, depending on the structure of the systemcard these are all different resources (requirements, measures and instruments) or 1 resource (tasks).

• System-wide permissions:

  • Any authenticated user can create new organizations
  • The creator of an organization automatically becomes Organization Maintainer
  • Default role for new organization members is Member Organization

ID	Verb	Resource	Notes
0	Create	Organization	Any authenticated user can create new organizations
1	Update	Organization/Info/	Affects single organization
1	Delete	Organization/Algorithm/	Affects all algorithms inside the organization
1	Delete	Organization/Members/	Affects all people inside the organization
1	Delete	Algorithm/team	In case maintainer removes itself from algorithm or when algorithm has no maintainer
2	Read	Organization/Info/
2	Create	Organization/Algorithm/
2	Read	Organization/Members/
3	Read	Organization/Info/
3	List	Organization/Algorithm/	Can only see basic info (algorithm names)
3	Read	Organization/Members/
4	Delete	Systemcard/
4	Update	Systemcard/ai_act_profile/labels
4	Delete	Systemcard/tasks/
4	Delete	Systemcard/requirements/
4	Delete	Systemcard/measures/
4	Delete	Systemcard/tools/
4	Delete	Systemcard/models/
4	Delete	Algorithm/team
5	Update	Systemcard/
5	Read	Systemcard/ai_act_profile/labels
5	Update	Systemcard/tasks/
5	Delete	Systemcard/requirements/
5	Delete	Systemcard/measures/
5	Delete	Systemcard/tools/
5	Update	Systemcard/models/
5	Read	Algorithm/team
6	Read	Systemcard/
6	Read	Systemcard/tasks/
6	Delete	Systemcard/requirements/
6	Delete	Systemcard/measures/
6	Delete	Systemcard/tools/
6	Read	Systemcard/models/
6	Read	Algorithm/team

Designs

Organization level:

Role changes are made through a modal inside the 'Leden'/'Members' tab of the organization with:

• Title: Change the role of {{ name }}
• Content:
  • Select a new role for {{ name }}: (list with radio buttons)
  • Maintainer (subtext: has full permissions and access to the entire organization)
  • Member (subtext: can see everything in the organization, can create new algorithms, and can edit all algorithms)
  • Reader (subtext: can see everything in the organization but cannot edit anything)
• Buttons: Change role (danger style) and Cancel
• Default role when adding a new user to an organization is 'Member'.
  

Algorithm level:

The roles for the team/algorithm can be set inside the algorithm page:

• Default role when adding a new user to an algorithm is 'Member'.
  
  
  
  
  
  
  

Implementation Notes

• Disable action buttons (edit or create buttons) based on permissions and add hoover-over with explanation why the button is disabled.
• Implementation inspiration from (from 117 onwards): https://gitlab.com/askanna/askanna-backend/-/blob/feature/askanna-storage/apps/core/permissions/roles.py