Introduction

When we set access to some role  for an app, we can deny access for superuser which is quite unexpected.

Possible solutions

  1. Leave as it is now, only change task introduced in  MGNLUI-2255 - Getting issue details... STATUS to add superuser role by default.
    (plus) backward compatibility
    (minus) hardcoded superuser role - custom superuser roles must be handled manually.
    (minus) can deny access for superuser.

  2. Change ConfiguredAccessDefinition to check for "superuser" role, deny renaming of superuser role.
    (plus) backward compatibility
    (minus) can deny access for migrated superuser role which was renamed.

  3. Allow defining of superuser role(s) under Configuration:server/security/superuser(s)
    (plus) backward compatibility
    (plus) configurable superuser role
    (minus) the task for migrating of old ACL have to run after superuser role configuration

  4. Create new App Access ACL for configuration of apps permissions similar to Web access ACL.
    1. define full path to an app
    2. define only app name

    (plus) we don't mix ACL with app permissions, all is handled by ACLs
    (plus) no problem with superuser access
    (minus) incompatible with 5.0-5.1.1
    (question) can we do it for 5.2?
  • No labels

1 Comment

  1. Daniel Lipp

    -> we'll go for Option 2. in 5.2