public inbox for [email protected]
help / color / mirror / Atom feedFrom: Dave Page <[email protected]>
To: Aditya Toshniwal <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: Role based access control discussion
Date: Thu, 13 Mar 2025 10:57:23 +0000
Message-ID: <CA+OCxowMMr_9xB0Dn6H0zRZza3kjztFhijvd1YWLzUZ7Rf4C9g@mail.gmail.com> (raw)
In-Reply-To: <CAM9w-_kjvSGfZ+K1qFABhYfE0kCJ0gDWU3ZyT-Ywb0AEX8=3eg@mail.gmail.com>
References: <CAM9w-_n9sUD1i_qzfowp5=CS0voUnmcGX-UeK8pZ5k3+xuHtLQ@mail.gmail.com>
<CA+OCxowN3uKQLWTf6F1j7_Zo_72CVj+jue4XjOdnRp3LHxH7Qw@mail.gmail.com>
<CAM9w-_kjvSGfZ+K1qFABhYfE0kCJ0gDWU3ZyT-Ywb0AEX8=3eg@mail.gmail.com>
On Thu, 13 Mar 2025 at 10:26, Aditya Toshniwal <
[email protected]> wrote:
> Hi Dave,
>
> On Thu, Mar 13, 2025 at 3:36 PM Dave Page <[email protected]> wrote:
>
>> Hi
>>
>> On Thu, 13 Mar 2025 at 06:16, Aditya Toshniwal <
>> [email protected]> wrote:
>>
>>> Hi Hackers,
>>>
>>> I have started looking into a feature where users have requested for
>>> custom roles. The roles can then be assigned permissions. Here's what I
>>> think how it can be done:
>>>
>>> 1. Create a framework for roles based access control.
>>> 2. Allow adding/editing/deleting roles from UI.
>>> 3. User management dialog can be converted to a tab to get extra
>>> space for other stuff.
>>> 4. pgAdmin can have some predefined permissions. The permissions can
>>> then be used to validate at the API levels and UI.
>>> 5. New permissions cannot be added from UI as it will require code
>>> changes. They can be added based on user requests.
>>> 6. Admin can allow these permissions to the roles and roles can be
>>> assigned to users.
>>> 7. Permissions will be used to
>>> 8. Admin role remains static with no changes allowed.
>>>
>>> Let me know your thoughts on this. If everything looks good then I will
>>> proceed.
>>>
>>
>> What permissions would we support initially?
>>
>
> Based on https://github.com/pgadmin-org/pgadmin4/issues/7310, we can
> start with not allowing users to register a server. We'll start 1 or 2 may
> be, the intention is to create a framework which will allow us to keep
> adding permissions on future requests.
>
The reason I ask is that there's no point in creating a framework if we
just end up with a single permission for adding/removing servers. I think
it makes sense to be sure there are likely to be other permissions before
committing to something likely to be a lot more complex than just adding an
attribute to a user.
--
Dave Page
pgAdmin: https://www.pgadmin.org
PostgreSQL: https://www.postgresql.org
pgEdge: https://www.pgedge.com
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Role based access control discussion
In-Reply-To: <CA+OCxowMMr_9xB0Dn6H0zRZza3kjztFhijvd1YWLzUZ7Rf4C9g@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox