Details
-
Feature Request
-
Resolution: Fixed
-
L3 - Default
-
None
-
1
-
Not defined
-
3 - Expected
Description
Problem Definition
User Story
As an Optimize admin
I want to prevent arbitrary Optimize users from creating entities
So that I can ensure data restriction
Use Cases
- Give a user read-only rights to dashboards and reports in Optimize
- Enforce that all dashboards and reports are in a Collection
- Prevent the creation of reports with sensitive data
PM Notes (Customer requests, context, assumptions)
- During trials or in dev environments, all users should be superusers to experience the potential value
- Access to production data is tightly restricted, especially in government organizations
- If this isn't hidden behind a config flag, then we need to design around the case where a process owner or developer doesn't have access to any collection. This might involve updating our blank state text and directing them to their admins.
- Another way to create a new collection is by clicking the "Dashboard" link on the Processes page. A user with access to a given process shouldn't necessarily have access to a collection with dashboard and reports.
Solution Definition
Solution Ideas
- Disable/hide the Create New button on the main page for non-superusers
- Prevent non-superusers from creating assets outside a collection (i.e. via Home page)
- Prevent non-superusers from using the Processes Page magic link to create collections and dashboards
- Prevent non-superusers from adding themselves to a collection via the Processes page magic link
- Inform the user how to gain access to a given collection/dashboard (ask the Collection Owner (username) for access
- Prevent users without access to a given Process Definition to be assigned as the Process Owner
Design Notes (Videos, mockups, guidance)
User Scenario
GIVEN
(MH/SH/NTH) WHEN
(MH/SH/NTH) THEN
Metrics (if applicable)
mgm-controller-panel
This is the controller panel for Smart Panels app
Attachments
Issue Links
- is related to
-
OPT-5970 Fine-Grained Entity Access Control
- Open
- links to
1.
|
Create new Optimize authorization for entity creation | Done | Unassigned | |
2.
|
Validate against entity creation for READ users | Done | Unassigned | |
3.
|
Add READ user access explanation and definition to documentation | Done | Unassigned | |
4.
|
Hide magic link in FE for READ Optimize users | Done | Unassigned | |
5.
|
Hide Entity creation button for READ only Optimize users | Done | Unassigned | |
6.
|
Return entities outside of a collection with 'viewer' user role | Done | Unassigned |