Desired rights permissions

OpenConext · Mar 25, 2024 · c4c99b2 · c4c99b2
1 parent 81339c1
commit c4c99b2
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 14 deletions.
diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml
@@ -459,7 +459,7 @@ manage:
     - {
         name: "dashboard",
         password: "{{ manage_dashboard_secret }}",
-        scopes: ["READ", "CHANGE_REQUEST"]
+        scopes: ["READ", "CHANGE_REQUEST_IDP", "CHANGE_REQUEST_SP"]
       }
     - {
         name: "myconext",
@@ -474,7 +474,7 @@ manage:
     - {
         name: "sysadmin",
         password: "{{ manage_sysadmin_secret }}",
-        scopes: ["READ", "WRITE", "PUSH", "SYSTEM"]
+        scopes: ["READ", "WRITE_IDP", "WRITE_SP", "PUSH", "SYSTEM"]
       }
     - {
         name: "invite",

diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml
@@ -344,7 +344,7 @@ manage:
     - {
         name: "dashboard",
         password: "{{ manage_dashboard_secret }}",
-        scopes: ["READ", "CHANGE_REQUEST"]
+        scopes: [ "READ", "CHANGE_REQUEST_SP", "CHANGE_REQUEST_IDP" ]
       }
     - {
         name: "myconext",
@@ -359,7 +359,7 @@ manage:
     - {
         name: "sp-dashboard",
         password: "{{ manage_sp_dashboard_secret }}",
-        scopes: ["READ", "WRITE", "PUSH", "DELETE"]
+        scopes: [ "READ", "WRITE_SP", "CHANGE_REQUEST_SP", "PUSH", "DELETE" ]
       }
     - {
         name: "invite",
@@ -369,7 +369,7 @@ manage:
     - {
         name: "sysadmin",
         password: "{{ manage_sysadmin_secret }}",
-        scopes: ["READ", "WRITE", "PUSH", "SYSTEM"]
+        scopes: ["READ", "WRITE_SP", "WRITE_IDP", "PUSH", "SYSTEM"]
       }
     - {
         name: "stats",

diff --git a/roles/manage-server/templates/manage-api-users.yml.j2 b/roles/manage-server/templates/manage-api-users.yml.j2
@@ -1,13 +1,13 @@
 # Valid scopes are manage.api.Scope.values(); =>
-# CHANGE_REQUEST, //Allowed to create change requests
-# PUSH, //Allowed to push changes to EB & OIDC-NG
-# READ, //Allowed to read entities
-# SYSTEM, //Allowed everything including Attribute Manipulation and updating / deleting Identity Providers
-# TEST, //Only used internally
-# WRITE, //Allowed to create and update all entities (excluding Identity Providers)
-# POLICIES, //Allowed to CRUD PdP Policies
-# DELETE, //Allowed to delete entities (excluding Identity Providers)
-# ADMIN //Standard scope for all GUI related endpoint (e.g. /manage/api/client/** endpoints)
+#    ADMIN, //Standard scope for all GUI related endpoint (e.g. /manage/api/client/** endpoints)
+#    CHANGE_REQUEST_IDP, //Allowed to create change requests for IdP
+#    CHANGE_REQUEST_SP, //Allowed to create change requests for SP
+#    POLICIES, //Allowed to create (excluding Identity Providers) and update all entities
+#    PUSH, //Allowed to push changes to EB & OIDC-NG
+#    READ, //Allowed to read entities
+#    SYSTEM, //Allowed everything including Attribute Manipulation
+#    WRITE_SP, //Allowed to CRUD SP / RP /RS
+#    WRITE_IDP //Allowed to CRUD IdP
 
 apiUsers:
   {% for user in manage.apiUsers %}