This is manually kept in sync with spec/spec.md.
can-login
countries.[read|write]
coverage.[read|write]
demographics.read
diseases.write
estimates.read
estimates.read-unfinished
estimates.review
estimates.submit
estimates.write
modelling-groups.manage-members
modelling-groups.read
modelling-groups.write
models.[read|write]
responsibilities.[read|write|review]
roles.[read|write]
scenarios.[read|write]
touchstones.finish
touchstones.open
touchstones.prepare
touchstones.read
users.read
users.edit-all
users.create
vaccines.write
And for the reports API:
reports.read
reports.review
A role is defined by a scope_prefix
and a name
.
Some roles are 'simple'. You either have them, or you don't, and they apply to all
securables equally. These are stored in the database with a null
scope_prefix
.
When a user is granted a simple role no scope can be specified and the user gets
the associated permissions with a scope of *
.
Other roles are 'complex'. They apply to subset of securables. For example, to a
particular modelling group. They are stored in the database with a non-null
scope_prefix
. When a user is granted a complex role a scope identifier must
be specified and the user gets the associated permissons with a scope of
SCOPE_PREFIX:SCOPE_IDENTIFIER
.
This is what should be in the DB, in JSON, for lack of a better option, probably also with a numeric primary key.
[
{
"name": "user",
"scope_prefix": null,
"description": "Log in",
"permissions": [ "can-login", "scenarios.read", "countries.read", "modelling-groups.read", "models.read", "touchstones.read", "responsibilities.read", "users.read", "estimates.read" ]
},
{
"name": "touchstone-preparer",
"scope_prefix": null,
"description": "Prepare touchstones",
"permissions": [ "diseases.write", "vaccines.write", "scenarios.write", "countries.write", "touchstones.prepare", "responsibilities.write", "coverage.read" ]
},
{
"name": "touchstone-reviewer",
"scope_prefix": null,
"description": "Review touchstones before marking as 'open'",
"permissions": [ "touchstones.open", "coverage.read" ],
},
{
"name": "coverage-provider",
"scope_prefix": null,
"description": "Upload coverage data",
"permissions": [ "coverage.read", "coverage.write" ],
},
{
"name": "user-manager",
"scope_prefix": null,
"description": "Manage users and permissions",
"permissions": [ "users.create", "users.edit-all", "roles.read", "roles.write", "modelling-groups.write" ],
},
{
"name": "estimates-reviewer",
"scope_prefix": null,
"description": "Review uploaded burden estimates",
"permissions": [ "estimates.review", "estimates.read-unfinished" ]
},
{
"name": "reports-reader",
"scope_prefix": null,
"description": "Can access the reporting portal and view all published reports",
"permissions": [ "reports.read" ]
},
{
"name": "reports-reviewer",
"scope_prefix": null,
"description": "Choose which reports to publish (and can view unpublished reports)",
"permissions": [ "reports.read", "reports.review" ]
},
{
"name": "member",
"scope_prefix": "modelling-group",
"description": "Member of the group",
"permissions": [ "estimates.read-unfinished", "coverage.read", "demographics.read" ]
},
{
"name": "uploader",
"scope_prefix": "modelling-group",
"description": "Upload burden estimates",
"permissions": [ "estimates.write" ],
},
{
"name": "submitter",
"scope_prefix": "modelling-group",
"description": "Mark burden estimates as complete",
"permissions": [ "estimates.submit" ]
},
{
"name": "user-manager",
"scope_prefix": "modelling-group",
"description": "Manage group members and permissions",
"permissions": [ "modelling-groups.manage-members", "users.create", "roles.write" ]
},
{
"name": "model-manager",
"scope_prefix": "modelling-group",
"description": "Add new models and model versions",
"permissions": [ "models.write" ]
},
{
"name": "funder",
"scope_prefix": null,
"description": "Funder",
"permissions": [ "coverage.read", "demographics.read" ]
},
{
"name": "admin",
"scope_prefix": null,
"description": "Consortium admin team ",
"permissions": [ "coverage.read", "touchstones.prepare", "reports.read", "responsibilities.review" ]
},
{
"name": "developer",
"scope_prefix": null,
"description": "Consortium tech team",
"permissions": [ "coverage.read", "touchstones.prepare", "reports.read" ]
}
]