gaia
gaia copied to clipboard
gaia-app
Enhanced Roles and RBAC
Currently there are only options for User/Admin and the ability for users to be part of organizations. The problem is a "user" inside an organization has too many permissions. As an example an admin can publish a module, make it available to multiple organizations, but a standard user in any organization can edit that module, including removing it from other organizations they are not a part of.
The user role should only allow the execution of stacks based on modules that have been published. This is a light description of how this may work.
| Role | Permissions |
|---|---|
| Global Admin | Any operation across all organizations |
| Global Module Admin | Create and edit any module across all organizations |
| Organization Admin | Any operation inside of an organization |
| Organization Module Admin | Create and edit any module inside an organization |
| User | Can create and manage stacks deployed from published modules |
When a global role with module create permissions publishes a module there should also be an option to prevent further modification of that module by organization level roles. In this way a global role can push modules to be consumed to an organization level role, and organizational level roles can still create and modify their own modules.
Hi @erick-prosimo Thank you for this detailed issue. I will work on this on the next few weeks. I'll add details about the implemented permission on this issue.
