Enhanced Roles and RBAC

[erick-prosimo]

Currently there are only options for User/Admin and the ability for users to be part of organizations. The problem is a "user" inside an organization has too many permissions. As an example an admin can publish a module, make it available to multiple organizations, but a standard user in any organization can edit that module, including removing it from other organizations they are not a part of.

The user role should only allow the execution of stacks based on modules that have been published. This is a light description of how this may work.

Role	Permissions
Global Admin	Any operation across all organizations
Global Module Admin	Create and edit any module across all organizations
Organization Admin	Any operation inside of an organization
Organization Module Admin	Create and edit any module inside an organization
User	Can create and manage stacks deployed from published modules

When a global role with module create permissions publishes a module there should also be an option to prevent further modification of that module by organization level roles. In this way a global role can push modules to be consumed to an organization level role, and organizational level roles can still create and modify their own modules.

[juwit]

Hi @erick-prosimo
Thank you for this detailed issue.
I will work on this on the next few weeks.
I'll add details about the implemented permission on this issue.

[wangtaotao0524]

Hi guys, any update for this one?