fine grained access

[palagdan]

Resolves partially #202
Resolves partially #158

[palagdan]

In the internal authorization, an admin user can assign roles using a multi-select input and can also remove roles as needed. These roles are then saved to the repository.
I can also add a group field, so admin can choose the specific group and roles will be added automatically.

[blcham]

see my comments + tests are failing

[blcham]

what is role_type?

[palagdan]

it is a mapper between roles and types

[blcham]

Do we really need to duplicate strings from ROLE?

[blcham]

can we use convention instead? see below

[palagdan]

There may be an issue because some roles, such as admin and doctor, do not have the 'rm' prefix, making it difficult to differentiate them. Also there is a problem if we want to display roles in readable form such as "Publish Records" etc.

[blcham]

I suggest to infer local name from url by convention:

rm_ <--- 'http://onto.fel.cvut.cz/ontologies/record-manager/'

view_all_records <--- view-all-records

convention is that _ is used instead -

[palagdan]

I initially chose the (-) as the divider because I noticed in mode.ttl that other resources and properties use it, such as:

###  http://onto.fel.cvut.cz/ontologies/record-manager/has-last-editor
rm:has-last-editor rdf:type owl:ObjectProperty ;
                   rdfs:subPropertyOf rm:relates-to .


###  http://onto.fel.cvut.cz/ontologies/record-manager/has-member
rm:has-member rdf:type owl:ObjectProperty ;
              rdfs:subPropertyOf rm:relates-to ;
              owl:inverseOf rm:is-member-of .


###  http://onto.fel.cvut.cz/ontologies/record-manager/has-owner
rm:has-owner rdf:type owl:ObjectProperty ;
             rdfs:subPropertyOf rm:relates-to .

However, I will change it to _.

[palagdan]

done

[blcham]

inconsistent with reject_records ---> complete-records

[palagdan]

done

[palagdan]

@blcham
Now it looks like this:

The admin can choose the roles for users if he have role EDIT_USER. The group input currently does not function because we need to discuss how it should be implemented. It might be better to disable the Roles input and assign roles based on the chosen group.

The next point for discussion is how Keycloak will retrieve information about roles. Currently, Keycloak only gets information about roles for the current user, which makes it impossible to display accurate information about other users. I think it would be beneficial to configure the Keycloak plugin to also save this information.

[blcham]

we do not want to assign roles, but role groups !! --- as we discussed we want to keep label "role" in RM-UI but assign there ONE role group ... but as i said if it is not changeable or even not visible there i fo not care that much -- it is not that important, we have keycloak for that.

[palagdan]

@blcham
I understand that we prefer not to assign roles manually but instead through group roles. However, I made manual role assignment possible solely for testing the UI with specific roles, such as the "edit user," "reject," and "complete" buttons, etc. I have developed a solution using internal authorization where users will only need to select a group role. Based on the selected group role, specific roles will automatically be assigned to the user, as you mentioned in a previous review.

In Keycloak authorization, I recommend not displaying the group role, as doing so would require storing it in a triple (via the plugin change).

So we will have these group roles if undestand correctly:

[OPERATOR_ADMIN]

• publishing records
• rejecting records
• complete records
• delete/edit/view organization records
• edit users
• codelist import

[OPERATOR_USER]

• complete records

[SUPPLIER_ADMIN]

• rejecting records
• complete records
• delete/edit/view organization records
• delete/edit/view all records
• edit users
• codelist import

[SUPPIER]

• complete records

[NON-ANONYMOUS QUESTIONARE]

• complete records

[palagdan]

There is now a "Role Group" input that automatically assigns a roles to the user based on a group. I've left disabled roles input because there’s currently no other way to see which roles are assigned to the user, similar to how it's displayed in Keycloak. I can remove this if it’s not necessary for internal authorization.

In Keycloak, there is no "Role Group" or "Roles" option because, as mentioned before, this information should be stored in triples to show valid information. As you said, it’s not necessary for keycloak profile, as all the relevant information is already in Keycloak. Additionally, I’m not sure if we want to retrieve the role group from the token, as you previously mentioned that all the logic is based on roles, and the groups are only for demonstration purposes.

[blcham]

add comment that this is deprecated and will be replaced

[blcham]

@palagdan I rebased this PR

[blcham]

@palagdan could you describe what the issue is and in which profile (I've lost it somehow :(