Design fine-grained access control within record manager

[blcham]

One of main goals is to remove extensions SUPPLIER and OPERATOR.

• explicit keycloak roles:
  • publishing records
  • rejecting records
  • complete records
  • delete/edit/view organization records
  • delete/edit/view all records
  • edit users
  • codelist import

Note:

• internal authorization needs to save everything related to roles/role groups to the repository.
• PUBLISH button is available only in extension SUPPLIER. (see e.g., 23ava-distribution/supplier-ava/docker-compose.yml EXTENSIONS: "${RECORD_MANAGER_EXTENSIONS:-supplier}")

Related to issue: #206

A/C:

• fine-grained roles work, and we can compose roles into groups within keycloak
• it is usable at least in a restricted but meaningful way in internal authorization

[palagdan]

@blcham

If I understand the task correctly, we can add two different groups for operators and suppliers, as shown in the picture below:

Each group can have its own subgroups that inherit roles from the parent group. This allows us to create different subgroups with specific roles.

[blcham]

Open questions:

• Should we show a group of roles in the RM-UI? Yes but maybe only for internal authorization

  • It makes sense, at least in the internal authorization case. Moreover, we will have at least some role names prepared with some initial semantics on how It could be used and redefined in the Keycloak. Note that the Inheritance of roles is working in groups within Keycloak.
    

• @palagdan Is it possible to retrieve role groups in the token?

• How will we treat users not being in any institution?

  • see Design how RM should be configurable w.r.t. institutions #206

[palagdan]

Yes, we can retrieve groups in the token, see https://stackoverflow.com/questions/56362197/keycloak-oidc-retrieve-user-groups-attributes

[blcham]

1. ok, try to implement part of the code related to differences between supplier and operator, do it in a way it would be possible to merge with keycloak reconfiguration

2. investigate how to assign in keycloak default roles and role groups. it should help u with 1)

[palagdan]

@blcham
I set up Keycloak with two groups (Operator and Supplier) and configured client scopes to include this information in the token. From the access token, I can retrieve this information. It seems to be working

[palagdan]

@blcham
Regarding your second task, I have set up the groups with default roles. As shown in the picture, the supplier group has assigned roles to the user. I've only set Admin role myself.

We should discuss a list of roles for each group.

[blcham]

• roles delete/edit/view should be 3 separate roles
• there should be global prefix to this role i.e. record_manager_ or just rm_
• please unify naming e.g. completing_... --> complete_records
• btw you do not need to put it to export-realm.xml yet but need to mark down what to do first
• FYI, RM should not do anything with role_groups beside visualizing it (rely on roles)

[palagdan]

@blcham

1. I want to discuss what roles should I assign to each group.
2. Should I change 'Roles' to 'Group' and display the Group name instead? Since a user can have multiple roles, it might be more effective to show the group to which the user is assigned.
   

[palagdan]

@blcham
We currently have the following roles:

• ROLE_ADMIN
• ROLE_USER
• rm_complete_records
• rm_delete_all_records
• rm_delete_organizations_records
• rm_edit_all_records
• rm_edit_organizations_records
• rm_edit_users
• rm_import_codelist
• rm_publish_records
• rm_reject_records
• rm_view_all_records
• rm_view_organizations_records

If Keycloak saves personal information about users to the repository, why can't it save roles and groups as well? It doesn't make sense to handle this on the backend because, with every request, the system would need to check Keycloak for changes and then update the repository accordingly.

[palagdan]

@blcham

The Publish button is in the Operator extension (not Supplier). Can you explain what this button does?

[blcham]

publish button imports all completed records from operator deployment to supplier deployment

rm_edit_organizations_records --> rm_edit_organization_records

rm_import_codelist --> rm_import_codelists