Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Permissions model ====== Permissions shall be granted through OAuth scopes or other custom claims. As these claims can sometimes be application specific, a general purpose approach is proposed using Members, Roles and ClaimSets with the following relationships: * Many-to-many between Members and Roles * One-to-many between Roles and ClaimSets A Role describes a high-level role a member has, for example "onboarding". A ClaimSet describes the specific OAuth claims associated with that role. The reason for separating ClaimSets from Roles is to be able to limit a ClaimSet to a single OAuth client without requiring a member to join multiple Roles if that Role involves multiple clients. An example ClaimSet for Grafana access to the "viewer" team may look like the following: <code> { "scope": ["openid", "email"], "groups": ["viewer"] } </code> This ClaimSet would be restricted to the Grafana OAuth client in order to avoid granting the "openid" scope to other clients and inadvertently giving access to them. projects/member_portal/permissions Last modified: 13 hours agoby samp20