Duende.IdentityServer.Admin icon indicating copy to clipboard operation
Duende.IdentityServer.Admin copied to clipboard
verified publisher icon skoruba

Customisable admin roles

Open colin-freemarketfx opened this issue 3 years ago • 6 comments

When I add a user as an admin, I have to give them access to everything.

I'd like to be able to configure multiple admin roles and limit the areas of the admin portal that are accessible based on the roles applied to the user.

I've checked the docs but I do apologise if I've missed an existing implementation.

colin-freemarketfx avatar Feb 09 '23 15:02 colin-freemarketfx

Hey, now it is one role for everything for simplicity. How do you suggest to split it? thx

skoruba avatar Feb 09 '23 17:02 skoruba

I think you would have to keep the AdministrationRole setting for backwards compatibility, and it is nice for simplicity. The role having this would still have master-admin levels of permission, i.e. everything.

I would propose adding a policy and matching configuration setting, initially just for user settings (which selfishly is the main one we care about) but eventually for each controller/UI section, for instance:

UserAdministratorRoles - would specify a comma separated list of roles having access to the user read/write methods UserAdministrationPolicy - would be used in the authorise attribute

It surely must be possible to then feed the user's role(s) into Index.chtml to limit the visible options.

With a feature like this, we can give our first/second-line support access to support user's queries without totally giving away the keys to the kingdom 😁

colin-freemarketfx avatar Feb 10 '23 09:02 colin-freemarketfx

Sure, it makes sense - can you send a PR with this idea? thanks

skoruba avatar Feb 10 '23 09:02 skoruba

I will, thanks. I'm on a few days leave but I've got a slot coming up in a couple weeks' time I could put something together.

colin-freemarketfx avatar Feb 10 '23 16:02 colin-freemarketfx

Great, looking forward

skoruba avatar Feb 10 '23 17:02 skoruba

Hi @skoruba, I've made a start and I'd like to share a draft PR before I go too far down the line. However I don't have permission, could I get access please?

EDIT: you can probably tell I'm totally new to open source - I've since been informed I need to create a fork - a colleague is going to take me through it next week

image

This is the kind of idea that I have so far, first I'd like to block / allow access to certain areas of the ui on the front end:

image

Back end too, but I think this is not so critical as we're just implementing handrails rather than a security feature here:

image

The support policies are written to include admin, so if you have admin you have all the support roles:

image

Permissions can be given using a csv format, so you can combine some roles and limit others:

image

I think I see two phases:

  1. The work I've done so far, to outright limit certain parts of the UI
  2. A second phase with flags to make particular fields read only unless you're an admin

I'd be keen to hear what you think, sorry it's taken so long to get back on this 😅

colin-freemarketfx avatar Mar 24 '23 16:03 colin-freemarketfx