From c190d5d1b73d862b94213506de07a524e42b9905 Mon Sep 17 00:00:00 2001 From: Fabi <38692350+fgerschwiler@users.noreply.github.com> Date: Thu, 28 Oct 2021 13:22:25 +0200 Subject: [PATCH] feat: add some manager roles (#2585) * feat: add some manager roles * feat: add some manager roles * fix indent Co-authored-by: Livio Amstutz --- cmd/zitadel/authz.yaml | 86 ++++++++++++++++++- .../docs/concepts/zitadel/objects/managers.md | 3 + 2 files changed, 88 insertions(+), 1 deletion(-) diff --git a/cmd/zitadel/authz.yaml b/cmd/zitadel/authz.yaml index 20fd693a3e..49f9e6d095 100644 --- a/cmd/zitadel/authz.yaml +++ b/cmd/zitadel/authz.yaml @@ -94,6 +94,78 @@ InternalAuthZ: - "project.app.read" - "project.grant.read" - "project.grant.member.read" + - Role: 'IAM_ORG_MANAGER' + Permissions: + - "org.read" + - "org.global.read" + - "org.create" + - "org.write" + - "org.member.read" + - "org.member.write" + - "org.member.delete" + - "org.idp.read" + - "org.idp.write" + - "org.idp.delete" + - "org.action.read" + - "org.action.write" + - "org.action.delete" + - "org.flow.read" + - "org.flow.write" + - "org.flow.delete" + - "user.read" + - "user.global.read" + - "user.write" + - "user.delete" + - "user.grant.read" + - "user.grant.write" + - "user.grant.delete" + - "user.membership.read" + - "features.read" + - "policy.read" + - "policy.write" + - "policy.delete" + - "project.read" + - "project.create" + - "project.write" + - "project.delete" + - "project.member.read" + - "project.member.write" + - "project.member.delete" + - "project.role.read" + - "project.role.write" + - "project.role.delete" + - "project.app.read" + - "project.app.write" + - "project.app.delete" + - "project.grant.read" + - "project.grant.write" + - "project.grant.delete" + - "project.grant.member.read" + - "project.grant.member.write" + - "project.grant.member.delete" + - Role: 'IAM_USER_MANAGER' + Permissions: + - "org.read" + - "org.global.read" + - "org.member.read" + - "org.member.delete" + - "user.read" + - "user.global.read" + - "user.write" + - "user.delete" + - "user.grant.read" + - "user.grant.write" + - "user.grant.delete" + - "user.membership.read" + - "features.read" + - "project.read" + - "project.member.read" + - "project.role.read" + - "project.app.read" + - "project.grant.read" + - "project.grant.write" + - "project.grant.delete" + - "project.grant.member.read" - Role: 'ORG_OWNER' Permissions: - "org.read" @@ -142,6 +214,18 @@ InternalAuthZ: - "project.grant.member.read" - "project.grant.member.write" - "project.grant.member.delete" + - Role: 'ORG_USER_MANAGER' + Permissions: + - "user.read" + - "user.global.read" + - "user.write" + - "user.delete" + - "user.grant.read" + - "user.grant.write" + - "user.grant.delete" + - "user.membership.read" + - "project.read" + - "project.role.read" - Role: 'ORG_OWNER_VIEWER' Permissions: - "org.read" @@ -300,4 +384,4 @@ InternalAuthZ: - "user.read" - "user.global.read" - "user.grant.read" - - "user.membership.read" \ No newline at end of file + - "user.membership.read" diff --git a/docs/docs/concepts/zitadel/objects/managers.md b/docs/docs/concepts/zitadel/objects/managers.md index dc2db96847..4eb5dafc23 100644 --- a/docs/docs/concepts/zitadel/objects/managers.md +++ b/docs/docs/concepts/zitadel/objects/managers.md @@ -18,8 +18,11 @@ In the right part of the console you can finde **MANAGERS** in the details part. |---|---| | IAM_OWNER | Manage the IAM, manage all organizations with their content | | IAM_OWNER_VIEWER | View the IAM and view all organizations with their content | +| IAM_ORG_MANAGER | Manage all organizations including their policies, projects and users | +| IAM_USER_MANAGER | Manage all users and their authorizations over all organizations | | ORG_OWNER | Manage everything within an organization | | ORG_OWNER_VIEWER | View everything within an organization | +| ORG_USER_MANAGER | Manage users and their authorizations within an organization | | ORG_USER_PERMISSION_EDITOR | Manage user grants and view everything needed for this | | ORG_PROJECT_PERMISSION_EDITOR | Grant Projects to other organizations and view everything needed for this | | ORG_PROJECT_CREATOR | This role is used for users in the global organization. They are allowed to create projects and manage them. |