flagsmith icon indicating copy to clipboard operation
flagsmith copied to clipboard

Published 20 hours ago verified publisher icon Flagsmith

Managing identity overrides requires UPDATE_FEATURE_STATE permission

Open rolodato opened this issue 1 year ago • 0 comments

Is your feature request related to a problem? Please describe.

Managing identity overrides currently requires the UPDATE_FEATURE_STATE permission. This is too broad of a permission for users that should only be able to manage identity overrides (i.e. enable/disable features for one customer at a time), as it allows them to manage the default feature states for all identities.

Describe the solution you'd like.

Add a new environment-level MANAGE_IDENTITY_OVERRIDES permission, and grant this to all existing users, groups and roles that currently have the UPDATE_FEATURE_STATE permission.

Describe alternatives you've considered

One alternative could be to group this permission together with MANAGE_IDENTITIES. This also feels like too broad of a permission, since it also lets users view/modify traits and delete identities, which is riskier than only being able to manage identity overrides.

Creating a dedicated permission for identity overrides is also consistent with the existing MANAGE_SEGMENT_OVERRIDES permission. It also leaves the door open for adding another permission to read/write traits

Additional context

https://app.crisp.chat/website/8857f89e-0eb5-4263-ab49-a293872b6c19/inbox/session_e27d773f-b963-4e07-9241-7d93252eaa8e/

rolodato avatar Aug 30 '24 21:08 rolodato