logto-io
feature request: add provisioning capabilities for permissions and resources creation
What problem did you meet?
I have tried to create new resources and scopes (permissions) from the Admin console in Logto (OSS version). And it is really heavy to define a lot of resources or permissions via UI or Management API. Therefore, I was thinking about a more efficient way to sync configurations between the project repo and the Logto instance.
Describe what you'd like Logto to have
To have a single source of truth for all permissions and resources definitions in Logto, it will be great if we could do provisioning from a configuration file that we define in our repo. Using the Management API or other methods, we can then update all configurations in a single request or update (w/ appropriate security checks: Auth headers, ...).
As an example, it could be a yaml, toml or json config file with the following patterns:
resources:
- baseUrl: https://api.store.io
/orders:
- read:order
- write:order
- delete:order
/products:
- read:product
- write:product
- delete:product
roles:
order_admin:
# the resources/permissions attributions are autocompleted from above definition in resources.
https://api.store.io/orders:
- read:order
- write:order
- delete:order
https://api.store.io/products:
- read:product
product_admin:
https://api.store.io/products:
- read:product
- write:product
- delete:product
An idea of a workflow could be to update it using the logto CLI with a command similar to logto cli permissions update <config_file.yml>.
What do you think ?
Hi @LBF38 this is a really good point. We are proposing similar product ideas. An additional idea, do you have similar needs for organization set up? Because in organization level it also have role-based access control
Thanks for your reply @fleuraly , I haven't used yet the organisations and associated RBAC. Therefore, I don't have enough experience with it to provide insightful feedbacks.
I would imagine a similar config file with specific keys and helpers for defining it.
@LBF38 Thanks for providing some context! Your suggestion makes total sense. Navigating through the UI or management API isnβt efficient when you already have an RBAC design or need bulk management. Iβm currently working on this feature, so please stay tuned. :)
I'm looking to migrate to Logto from auth0 and this feature is a game changer! @fleuraly do you have an ETA maybe?
This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi Logto's team, As I had some time playing around, I built a simple CLI tool to provision a Logto instance using the Management API. Here is the project: https://github.com/LBF38/logto_provisioning
Even though it can be massively enhanced, this is a beginning, a simple POC on the way to build this feature. Hope you'll enjoy it !
Hey, I have created a PR to add it to the awesome list
https://github.com/logto-io/logto/pull/7432
Let me know if you would like to further contribute it into the Logto CLI package.
Thanks @charIeszhao for the mention ! I'll see if I have time to contribute to the Logto CLI pkg or improve the Go CLI.
This issue is stale because it has been open for 30 days with no activity.