Feature/add consultancy account

[GustaafL]

Description

Add a Consultant account that has read access to accounts of clients.

Use case: Our customer is the supplier to a bunch of other (client) accounts on the server. They should have read-only access to some accounts. At least this is the first step. So they can oversee what happens, for instance for servicing questions and problems.

Look & Feel

The consultant will be able to see the accounts in their overview page and the assets they have access to. The consultant client will be able to see which account has read access to their account.

How to test

Tests are added in flexmeasures/api/v3_0/tests/test_assets_api.py
To test in the UI create a consultant account and a consultant client account in the CLI. Then go to the account pages and see the accounts represented.

Further Improvements

Potential improvements to be done in the same PR or follow up Issues/Discussions/PRs.

Related Items

The technical discussion can be found here: #868
The issue that this closes can be found here: #203

---

• I agree to contribute to the project under Apache 2 License.
• To the best of my knowledge, the proposed patch is not based on code under GPL or other license that is incompatible with FlexMeasures

[nhoening]

Good start!

I found a mix-up in how it's supposed to work, though.

Can you edit the PR description (only relevant sections), and then also reference discussion #868

Once we have this working well, I think I'd like to implement my idea of the required user role, as well (see discussion: "Addendum: also require a user role"). Better to do that right away, because otherwise the access might apply to too many people.

[GustaafL]

I've added the customer-manager user role as a requirement for accessing consultant client accounts by consultants.

[nhoening]

Good iteration! Only smaller comments at this point.

Maybe we should add a small sentence/paragraph to https://flexmeasures.readthedocs.io/en/latest/concepts/security_auth.html#authorization, to explain this concept.

[nhoening]

Very close to done.
I'd like to add the consultant's account ID to the client account when I'm creating it on the CLI (we discussed that once in person).
That would also make it easy enough for me to test this PR locally.

[GustaafL]

I've added the option to add a consultancy-account-id in the CLI and a test that this works as expected.

[nhoening]

I tested it (via the UI) and it works.
I feel that one part is too confusing for later, and needs more clarity. Then we can merge!

[Flix6x]

I used the following psql statements to get a short demo going. Perhaps the first statement is suited to already be included in the database migration.

insert into role (name, description) values ('customer-manager', 'Consultant that manages another customer');
insert into roles_users (user_id, role_id) values (<user ID of consultant>, <role ID that was just created>);
update account set consultancy_account_id=<account ID of consultant organisation> where id=<account ID of consultee organisation>;

UPDATE: we found out that we haven't created new user roles before within database migrations, so my suggestion is maybe not the way to go. What we had done before was to add new user roles to a list in data.scripts.data_gen.add_default_user_roles, so it would get picked up when running flexmeasures add initial-structure. That list currently consists of just the admin and admin-reader roles, so I believe we had missed adding the account-admin to it at some point in the past.

[nhoening]

So we should add two new roles there in our current PR? Thanks.

[GustaafL]

So we should add two new roles there in our current PR? Thanks.

Done

[nhoening]

Nice work!