fine grained access

[palagdan]

Resolves partially #202
Resolves partially #158

[palagdan]

In the internal authorization, an admin user can assign roles using a multi-select input and can also remove roles as needed. These roles are then saved to the repository.
I can also add a group field, so admin can choose the specific group and roles will be added automatically.

[blcham]

see my comments + tests are failing

[palagdan]

@blcham
Now it looks like this:

The admin can choose the roles for users if he have role EDIT_USER. The group input currently does not function because we need to discuss how it should be implemented. It might be better to disable the Roles input and assign roles based on the chosen group.

The next point for discussion is how Keycloak will retrieve information about roles. Currently, Keycloak only gets information about roles for the current user, which makes it impossible to display accurate information about other users. I think it would be beneficial to configure the Keycloak plugin to also save this information.

[blcham]

we do not want to assign roles, but role groups !! --- as we discussed we want to keep label "role" in RM-UI but assign there ONE role group ... but as i said if it is not changeable or even not visible there i fo not care that much -- it is not that important, we have keycloak for that.

[palagdan]

@blcham
I understand that we prefer not to assign roles manually but instead through group roles. However, I made manual role assignment possible solely for testing the UI with specific roles, such as the "edit user," "reject," and "complete" buttons, etc. I have developed a solution using internal authorization where users will only need to select a group role. Based on the selected group role, specific roles will automatically be assigned to the user, as you mentioned in a previous review.

In Keycloak authorization, I recommend not displaying the group role, as doing so would require storing it in a triple (via the plugin change).

So we will have these group roles if undestand correctly:

[OPERATOR_ADMIN]

• publishing records
• rejecting records
• complete records
• delete/edit/view organization records
• edit users
• codelist import

[OPERATOR_USER]

• complete records

[SUPPLIER_ADMIN]

• rejecting records
• complete records
• delete/edit/view organization records
• delete/edit/view all records
• edit users
• codelist import

[SUPPIER]

• complete records

[NON-ANONYMOUS QUESTIONARE]

• complete records

[palagdan]

There is now a "Role Group" input that automatically assigns a roles to the user based on a group. I've left disabled roles input because there’s currently no other way to see which roles are assigned to the user, similar to how it's displayed in Keycloak. I can remove this if it’s not necessary for internal authorization.

In Keycloak, there is no "Role Group" or "Roles" option because, as mentioned before, this information should be stored in triples to show valid information. As you said, it’s not necessary for keycloak profile, as all the relevant information is already in Keycloak. Additionally, I’m not sure if we want to retrieve the role group from the token, as you previously mentioned that all the logic is based on roles, and the groups are only for demonstration purposes.

[blcham]

@palagdan I rebased this PR

[blcham]

@palagdan could you describe what the issue is and in which profile (I've lost it somehow :(

[palagdan]

@blcham

I fixed the issue in the Keycloak profile, so it now works as expected. You can check both the internal and Keycloak profiles.
If you approve the changes, we can update the Keycloak configuration file with the new RoleGroup and roles

First step:

• change backend to contain specific roles together with temporary role ADMINISTRATOR and USER (do not apply new roles to backend/frontend)
• change frontend to support backend
• support keycloak-auth profile
  • change kbss distribution keycloak configuration to contain new roles and role groups
• support internal-auth profile
  • add role groups in .trig file in record-manager-ui/deploy/internal-auth
  • add code to show role group + roles of current user