Global Roles

Abstract

This document outlines the design for Global Roles in the authentication and authorization system, enabling roles that apply across all workspaces.

Motivation

Administrators currently need to assign the same roles repeatedly in multiple workspaces
Need for a mechanism to assign roles at the system level that apply globally
Simplify permission management for system administrators
Reduce the risk of permission inconsistencies across workspaces

Introduction

Global Role: A system-level role assigned to users that will be included in all PrincipalTokens and participate in authorization regardless of which workspace is being accessed. This design addresses the need for consistent role assignment across the system while maintaining compatibility with the existing authorization model.

Concepts

Functional design

ClusterAdmin: Update Global Roles

Technical design

~cmp.c.registry.UpdateGlobalRoles~✅
- AuthZ: System

TYPE UpdateGlobalRolesParams (
  Login text NOT NULL,
  AppName text NOT NULL,
  GlobalRoles text(1024)
);
COMMAND UpdateGlobalRoles (UpdateGlobalRolesParams);

~cmp.cdoc.registry.Login.GlobalRoles~✅: New field in the Login table

ALTER WORKSPACE sys.AppWorkspaceWS (
    TABLE Login INHERITS sys.CDoc (
        -- ... existing fields ...
        GlobalRoles varchar(1024)    -- Comma-separated list of global roles
    );
);

~cmp.c.registry.IssuePrincipalToken~✅
- Include GlobalRoles in the PrincipalToken
~tuc.UseGlobalRolesInAuthz~✅
- Include principals according to PrincipalToken.GlobalRoles
~it.TestGlobalRoles~✅
- Integration test to verify Global Roles functionality

PreviousACL Rules Next📁Data types

Last updated 12 days ago

Was this helpful?