...
The permission system is based on permission objects in the db which are checked before executing a request. Which permission is needed for what action is hardcoded and can be found in the api documentation where it is described for every request. A permission has the following properties:
| field | desc |
|---|---|
| scope | Where that permission is applied. Can be global (whole system) or local. Local means it is only applied inside the body the user got it from plus all bound circles in that body plus all members of that body. |
| action | Which action, e.g. update, view, etc |
| object | Which object, e.g. circle, body, etc |
| filters | Field filters in the form of nested objects with a field parameter {field: "something"}. See separate section for filters |
| always_assigned | Boolean whether the permission is auto-assigned to everyone in the system |
| description | Description |
For easier communication we write a permission as scope:action:object or if scope doesn't matter as action:object
...
To see a list of permissions, visit https://oms.aegee.org/permissions, It is thinkable that new microservices can add a new set of permissions to the system to handle specific functions.
Future permission system improvements
- Extending scoping options. Instead of just local and global we could also use a body type of a local as scope.