.Stat DLM UI for managing user access
As Gyorgy,
I want to see and manage user permissions (create, update, delete) from the DLM
So that I don't need to use the swagger
Regular user checking own permissions
The own permission page is accessible by clicking on the User name
-> [icon]My permissions
menu button in the top menu of the DLM.
The button My permissions
remains highlighted until the user switches to a different view.
The page main area will show the list of the permissions applying to the current authenticated user, which is to be retrieved from the AuthMgmt method /AuthorizationRules/me
and which contains:
- ID: the permission ID as returned by the AuthMgmt service
- User/Group: the user email address or group name preceded by a user icon or group icon
- Space
- Type (map numbers to DLM artefact type labels using config/translations)
- Agency
- Artefact
- Version
- Permission (display the label of the corresponding single granular permission or the single combined role as configured in the DLM configuration/translations, see annex below, otherwise display the text "Special permissions")
Note for the page area:
- Add a legend with: '*' means 'Any'
- Resize the table to fit into the screen width
- Clicking on any row allows seeing the details of an existing permission. This highlights the row of the permission to be viewed in orange and opens a dialog windows with usual DLM styles and with the same content as for
Edit permission
below, except the title is [icon]Details for permission [ID]
and all fields are grayed and non-editable. The only action possible is "Close".
The page filters are regenerated and contain:
- filter by space (only those in the above list)
- filter by type (usual list of artefact types reduced to those in the above list)
- filter by user/group (only those in the above list)
- filter by agency (only those in the above list)
- filter by artefact (only those in the above list)
- filter by version (only those in the above list)
- filter by permission (only those in the above list except those not corresponding to pre-defined granular permission or to combined roles for which labels are to be configured in new DLM configuration/translations, see annex below)
Note for the page filters:
- Replace
*
with* (Any)
. - If there is only one listed value in a filter, then hide the filter
Admin managing all users permissions
When the user has any "Change permissions" permission for any included internal space, then add a menu button Manage permissions
to the DLM header (before Dump
) with the corresponding icon.
When clicking on this button, then similarly to the above view for My permission
, the page main area will show the list of the permissions that the current user is allowed to manage, which is to be retrieved from the AuthMgmt method /AuthorizationRules
. The permission details can be viewed by clicking on the rows. The page filters are regenerated and contain the corresponding filters (same rules).
The button Manage permissions
remains highlighted until the user switches to a different view.
In addition, the admin will see:
- an
Add permission
button with the corresponding add icon, aligned with the spotlight search and next to the number of permissions, to add a new permission - an
Actions
column containing an edit icon, to update an existing permission and a trash icon, to delete an existing permission.
When clicking on the Add permission
button, a dialog window titled Add new permission
preceded by an icon appears, using the standard DLM styles. The dialog shows the following fields:
-
User/group
label and a text field -
Dataspace
label and a dropdown menu filled with the list of internal dataspaces for which the user has "Manage permissions" permissions -
Artefact type
label and a dropdown menu filled with the list of artefact types defined in the DLM -
Maintenance agency ID
label and a text field -
Artefact ID
label and a text field -
Artefact version
label and a text field -
Permissions
label, a tabBasic permissions
as default tab and a tabAdvanced permissions
-
Basic permissions
contains a column of checkboxes, a columnPermission
and a columnDescription
, one row per role (combined granular permissions) as defined in the new DLM configuration/translations, see annex below. In addition, the last row contains an option for "Special permissions" which is always grayed and non-editable. It is auto-ticked in case the user has selected granular permissions that do not correspond to any pre-defined role. Otherwise, if the user selected granular permissions in theAdvanced permissions
tab that correspond to a specific set of roles then those are automatically pre-selected. -
Advanced permissions
contains a column of checkboxes, a columnPermission
and a columnDefinition
, one row per granular permission as defined in the new DLM configuration/translations, see annex below. They are automatically pre-selected with the permissions according to the current selection in the "Basic permissions" tab.
-
- A
Cancel
button to quit the dialog without saving the new user permission. - A
Save
button to quit the dialog after saving the new user permission. Once the permission is saved it should appear in the main view list together with a green "new" indication.
Notes:
- The "Add permission" dialog should always be prefilled with the same settings as saved previously in the same dialog in the same user session (to help adding several permissions without requiring to start filling the dialog from scratch).
- The
User\group
input text should take*
as parameter or be kept blank to apply the permission on any user\group.
When clicking on the edit
icon, the row of the permission to be edited is highlighted in orange, a dialog window appears that is similar to the Add permission
dialog window. But it has the title Edit permission [ID]
preceded by the corresponding icon, a Save
button instead of an Add
button, and usual DLM styles. All fields except permissions are grayed and non-editable.
When clicking on the trash
icon, the row of the permission to be edited is highlighted in orange, a dialog window appears. It has the title Delete permission [ID]
preceded by the corresponding icon. It has Cancel
and Delete
buttons, and asks to confirm the deletion.
Annex
Summary of styles
Styles, colors and fonts are to be aligned with those currently used in the DLM
- Use as "Delete permission" icon: https://mui.com/components/material-icons/?selected=Delete
- Use as "Edit permission" icon: https://mui.com/components/material-icons/?selected=Edit
- Use as "Manage permissions" icon: https://mui.com/components/material-icons/?selected=Security
- Use as "My permissions" icon: https://mui.com/components/material-icons/?selected=AdminPanelSettings
- Use as "Add permission" icon: https://mui.com/components/material-icons/?selected=AddModerator
- Use as isGroupe=false icon: https://mui.com/components/material-icons/?selected=Person
- Use as isGroupe=true icon: https://mui.com/components/material-icons/?selected=Group
Definitions of granular permissions and roles, as well as their labels and descriptions
The DLM should define the translations for the labels and descriptions corresponding to the granular permissions for the Advanced permissions
tab as pre-defined in the Authorizations Management Service:
Id | Granular permission - Eurostat identifier | Label | Description |
---|---|---|---|
1 | CanReadStructuralMetadata | Read structures | Allows retrieving structural information |
16 | CanImportStructures | Insert structures | Allows adding new structural information |
128 | CanUpdateStructuralMetadata | Update structures | Allows updating existing structural information |
512 | CanDeleteStructuralMetadata | Delete structures | Allows deleting structural information |
2 | CanReadData | Read non-embargoed data | Allows retrieving non-embargoed data |
2048 | CanReadPitData | Read embargoed data | Allows retrieving embargoed data |
32 | CanImportData | Insert data | Allows adding new embargoed and non-embargoed data (Note: In .Stat Suite this permission currently also allows updating existing embargoed and non-embargoed data.) |
256 | CanUpdateData | Update data | Allows updating existing embargoed and non-embargoed data (Note: In .Stat Suite this permission is currently ineffective.) |
1024 | CanDeleteData | Delete data | Allows deleting embargoed and non-embargoed data |
64 | CanModifyStoreSettings | Manage permissions | Allows modifying permissions (Note: In .Stat Suite this permission is currently ineffective. To allow managing permissions, 'full control' must be given.) |
4 | CanIgnoreProductionFlag | Ignore production flag | Allows ignoring production flag attribute (not used in .Stat Suite) |
8 | CanPerformInternalMappingConfig | Perform internal mapping config | Allows performing internal mapping configuration attribute (not used in .Stat Suite) |
Per DLM-scope, the DLM configuration should allow defining any roles (combined granular permissions for the Basic permissions
tab) together with their translations for the labels and descriptions based on the granular permissions as defined in the Authorizations Management Service. By default (the list can be fully edited directly by the system administrator), the DLM defines the following set of roles (including a sub-set of roles as pre-defined (by Eurostat) in the Authorizations Management Service):
Id | Composition | Eurostat role identifier | Label | Description |
---|---|---|---|---|
3 | =1+2 | WsUserRole | Read structures and data | Allows retrieving structural information and non-embargoed data |
2051 | =1+2+2048 | - | Read structures and embargoed data | Allows retrieving structural information and embargoed and non-embargoed data |
|
||||
145 | =1+16+128 | StructureImporterRole_U | Change structures | Allows retrieving, inserting and updating structural information |
|
||||
657 | =1+16+128+512 | StructureImporterRole | Manage structures | Allows retrieving, inserting, updating and deleting structural information |
|
||||
3363 | =1+2+32+256+1024+2048 | - | Manage data | Allows retrieving structural information and retrieving, inserting, updating and deleting embargoed and non-embargoed data |
4095 | =1+2+4+8+16+32+64+128+256+512+1024+2048 | AdminRole | Full control | Allows fully managing structural information, embargoed and non-embargoed data, and permissions |
[any other sum] | [any other combination] | - | Special permissions | Special combinations of advanced permissions |
For OECD staging, pre-prod and prod, the following DLM configuration should replace the default configuration:
Id | Composition | Label | Description |
---|---|---|---|
3 | =1+2 | Guest | Allows retrieving structural information and non-embargoed data |
2051 | =1+2+2048 | Reader | Allows retrieving structural information and embargoed and non-embargoed data |
3363 | =1+2+32+256+1024+2048 | Updater | Allows retrieving structural information and retrieving, inserting, updating and deleting embargoed and non-embargoed data |
4031 | =1+2+4+8+16+32+128+256+512+1024+2048 | Manager | Allows fully managing structural information and embargoed and non-embargoed data |
4095 | =1+2+4+8+16+32+64+128+256+512+1024+2048 | Super Exec | Allows fully managing structural information, embargoed and non-embargoed data, and permissions |