Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tsflQ-004Nrd-9U for pgadmin-hackers@arkaria.postgresql.org; Thu, 13 Mar 2025 10:26:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tsflP-00A5MO-0O for pgadmin-hackers@arkaria.postgresql.org; Thu, 13 Mar 2025 10:26:07 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tsflO-00A5Cs-I6 for pgadmin-hackers@lists.postgresql.org; Thu, 13 Mar 2025 10:26:06 +0000 Received: from mail-vk1-xa2c.google.com ([2607:f8b0:4864:20::a2c]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1tsflJ-002dFv-2u for pgadmin-hackers@postgresql.org; Thu, 13 Mar 2025 10:26:05 +0000 Received: by mail-vk1-xa2c.google.com with SMTP id 71dfb90a1353d-5240a432462so707746e0c.1 for ; Thu, 13 Mar 2025 03:26:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1741861561; x=1742466361; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8F+h7CVk482TdaeY5RPP69lDtinvR/aT7epWQlkIDy0=; b=DX+yE4ENQ5/AmlcCze9ykPvc0HVNas73n9GbwQEHLzBa7WvikmztEphGHED4+jAG8l Zgx0ikxDqp35GC/XH+ss7BDpJZBiDsewKbY7/JWuGbka5HrpstWSoOUHGwzlK8ag0VuE Ph+9UmXwOpJ5QAd9v+IqD8Dca75UQAkWYLAQ9ku8olCC31f9wyXBYaaSBtuBiCIH0VsQ o640X6c4hnTVLvIn1tXZgLunxaK6jpy/3ootPNIZstEZqaCwO7AiFz2TnnvncAJevXry fLSWuTTmzSUtgSa+AqiQM42k6dlkfCMe2mfwMvMndG2Mn2pJDwSJW1UHfAdi+cnWQzpS zxqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741861561; x=1742466361; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8F+h7CVk482TdaeY5RPP69lDtinvR/aT7epWQlkIDy0=; b=Vqm2wUvJPf7iMD2Rcl4YxUCerfU9qDuj88yu1rStTmEHZ2Tq/quwd7bqVuCscbNqJY 3xih3KFXcyY9V5yYmJp/uKF9kFRaZYxOuB56RSGmmkZ0mI3TRvsl4uB6sbrm6SDTAK23 z7RZ3P8OOBxpQpcenegTg/Ux+r0UzYs7tsu2/2kNSSxWz+60IR6E3bLayKhLzarW945N SuoKdejIvZjio7G2l5gQWa6/hiGbiyB5dKLySHQqqw3qmrfJFKDTL37riig+1IF9tWU/ 5s8fOPkMfnNEQ6HnGKhlam7KFjMhcXtN0kPNQ7gwudLeviFB3HDTU6R+Gxoat4d5vm1/ d7Hg== X-Gm-Message-State: AOJu0YxTcf/SA18bw70mVeA83yAu/h/sEBxz/JbC2LwYVDggZLzrgfiR 7aNui0IoyDuk9pHxp+/enbWB4Sa3L9eKHKXcKOCQleVFSPJij4Mmg04t0Gk1WLGyG2oPNVr1slv OZit1dVHsGTZrkyc8f80ZUtgtQ2qiUkGjNEhM X-Gm-Gg: ASbGncsuMwOb+ohRScIOOy+bBLsz7wRdymnWFiDy4TtREB83M1gL2Vw7p5Doa9Uh9Tl 4T3Ixcvyk6XGB4vxLQj/QAgqevrrXFBdPIFvJAp6hAGXsBz7B5DfLbXE4FjDOsO83LhzcxmvsoV o7d4lG0Zp0hRDr8qVTo4mUqJts1u0vCWVT6ljf0p6AaffOtv2q9ZTeDCA0jmWr X-Google-Smtp-Source: AGHT+IHB5PzbUAXh6zzOeEwf4DHhHAgZUUrM+4SS4UmHafXHqHp3BHsuyknfNfzg58u13zRlvEwQMP6vyRplM8lrvTg= X-Received: by 2002:a05:6122:3088:b0:520:4806:a422 with SMTP id 71dfb90a1353d-5243a348347mr1410134e0c.3.1741861560795; Thu, 13 Mar 2025 03:26:00 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Aditya Toshniwal Date: Thu, 13 Mar 2025 15:55:25 +0530 X-Gm-Features: AQ5f1JoGE6Ehjg2UNOqvY8up0g2PFH4_T_9Pduftsdk_27A1ony02M9wkgfOpEY Message-ID: Subject: Re: Role based access control discussion To: Dave Page Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="000000000000946108063036bf3e" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000946108063036bf3e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Dave, On Thu, Mar 13, 2025 at 3:36=E2=80=AFPM Dave Page wrote= : > Hi > > On Thu, 13 Mar 2025 at 06:16, Aditya Toshniwal < > aditya.toshniwal@enterprisedb.com> wrote: > >> Hi Hackers, >> >> I have started looking into a feature where users have requested for >> custom roles. The roles can then be assigned permissions. Here's what I >> think how it can be done: >> >> 1. Create a framework for roles based access control. >> 2. Allow adding/editing/deleting roles from UI. >> 3. User management dialog can be converted to a tab to get extra >> space for other stuff. >> 4. pgAdmin can have some predefined permissions. The permissions can >> then be used to validate at the API levels and UI. >> 5. New permissions cannot be added from UI as it will require code >> changes. They can be added based on user requests. >> 6. Admin can allow these permissions to the roles and roles can be >> assigned to users. >> 7. Permissions will be used to >> 8. Admin role remains static with no changes allowed. >> >> Let me know your thoughts on this. If everything looks good then I will >> proceed. >> > > What permissions would we support initially? > Based on https://github.com/pgadmin-org/pgadmin4/issues/7310, we can start with not allowing users to register a server. We'll start 1 or 2 may be, the intention is to create a framework which will allow us to keep adding permissions on future requests. > > -- > Dave Page > pgAdmin: https://www.pgadmin.org > PostgreSQL: https://www.postgresql.org > pgEdge: https://www.pgedge.com > > --=20 Thanks, Aditya Toshniwal pgAdmin Hacker | Sr. Staff SDE II | *enterprisedb.com* "Don't Complain about Heat, Plant a TREE" --000000000000946108063036bf3e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi=C2=A0Dave,

On Th= u, Mar 13, 2025 at 3:36=E2=80=AFPM Dave Page <dpage@pgadmin.org> wrote:
Hi

<= div class=3D"gmail_quote">
On Thu, 13 = Mar 2025 at 06:16, Aditya Toshniwal <aditya.toshniwal@enterprisedb.com&g= t; wrote:
Hi Hackers,

I have started looking into a feature where = users have requested for custom roles. The roles can then be assigned permi= ssions. Here's what I think how it can be done:
  1. Create a framework for roles based acce= ss control.
  2. Allow adding/editing/deleting roles from UI.
  3. Us= er management dialog can be converted to a tab to get extra space for other= stuff.
  4. pgAdmin can have some predefined permissions. The permissio= ns can then be used to validate at the API levels and UI.
  5. New permi= ssions cannot be added from UI as it will require code changes. They can be= added based on user requests.
  6. Admin can allow these permissions to= the roles and roles can be assigned to users.
  7. Permissions will be = used to=C2=A0
  8. Admin role remains static with no changes allowed.
Let me know your thoughts on this. If everything looks good the= n I will proceed.

W= hat=C2=A0permissions would we support initially?

Based on=C2=A0https://github.com/pgadmin-org/pgadmin4/issues/7310, w= e can start with not allowing users to register a server. We'll start 1= or 2 may be, the intention is to create a framework which will allow us to= keep adding permissions on future requests.
= =C2=A0
--


--
Thanks,
Aditya Toshniw= al
pgAdmin Hacker=C2=A0| Sr. Staff SDE II=C2= =A0| enterprisedb.com
"Don't Complain about Heat, Plant a TREE"
--000000000000946108063036bf3e--