You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently there are only options for User/Admin and the ability for users to be part of organizations. The problem is a "user" inside an organization has too many permissions. As an example an admin can publish a module, make it available to multiple organizations, but a standard user in any organization can edit that module, including removing it from other organizations they are not a part of.
The user role should only allow the execution of stacks based on modules that have been published. This is a light description of how this may work.
Role
Permissions
Global Admin
Any operation across all organizations
Global Module Admin
Create and edit any module across all organizations
Organization Admin
Any operation inside of an organization
Organization Module Admin
Create and edit any module inside an organization
User
Can create and manage stacks deployed from published modules
When a global role with module create permissions publishes a module there should also be an option to prevent further modification of that module by organization level roles. In this way a global role can push modules to be consumed to an organization level role, and organizational level roles can still create and modify their own modules.
The text was updated successfully, but these errors were encountered:
Hi @erick-prosimo
Thank you for this detailed issue.
I will work on this on the next few weeks.
I'll add details about the implemented permission on this issue.
Currently there are only options for User/Admin and the ability for users to be part of organizations. The problem is a "user" inside an organization has too many permissions. As an example an admin can publish a module, make it available to multiple organizations, but a standard user in any organization can edit that module, including removing it from other organizations they are not a part of.
The user role should only allow the execution of stacks based on modules that have been published. This is a light description of how this may work.
When a global role with module create permissions publishes a module there should also be an option to prevent further modification of that module by organization level roles. In this way a global role can push modules to be consumed to an organization level role, and organizational level roles can still create and modify their own modules.
The text was updated successfully, but these errors were encountered: