Permissions model

Permissions shall be granted through OAuth scopes or other custom claims. As these claims can sometimes be application specific, a general purpose approach is proposed using Members, Roles and ClaimSets with the following relationships:

  • Many-to-many between Members and Roles
  • One-to-many between Roles and ClaimSets

A Role describes a high-level role a member has, for example “onboarding”. A ClaimSet describes the specific OAuth claims associated with that role. The reason for separating ClaimSets from Roles is to be able to limit a ClaimSet to a single OAuth client without requiring a member to join multiple Roles if that Role involves multiple clients.

An example ClaimSet for Grafana access to the “viewer” team may look like the following: 

{
    "scope": ["openid", "email"],
    "groups": ["viewer"]
}

This ClaimSet would be restricted to the Grafana OAuth client in order to avoid granting the “openid” scope to other clients and inadvertently giving access to them.

  • projects/member_portal/permissions
  • Last modified: 11 hours ago
  • by samp20