Make admin web app accessible with users with different roles and permissions

[lakshithagunasekara]

Problem

Currently, admin web app is not developed to restrict different sections based on the scopes. Only the workflow sections check for the workflow-related scopes [1] before loading and because of it, we can't allow different roles of users to access the admin web app.

[1] - https://github.com/wso2/apim-apps/blob/main/portals/admin/src/main/webapp/source/src/app/components/AdminPages/Dashboard/Dashboard.jsx#L43

Solution

Evaluate the scopes of each section before render.

Affected Component

APIM

Version

No response

Implementation

No response

Related Issues

No response

Suggested Labels

No response

[hasuniea]

We had a design review to finalize the design.

Admin web app is not developed to restrict different sections based on the scopes. Currently any user with apim:admin scope can view all the sections (Rate limiting policies,

Gateways, API Categories, Key Managers, Settings except Tasks). We can restrict each section by checking each user's scopes from the UI. But if we can go with an in- built

role(internal role) for common scenarios such as task managing, rate limiting, settings ..etc. we can reduce the overhead of assigning multiple scopes for the users.

We will have to create internal roles for each operation as in below.

Admin portal Section	Scopes	Suggested internal Role
Rate Limiting policies	apim:tier_view, apim:policies_import_export, apim:tier_manage, apim:bl_manage, apim:bl_view	Policy manager
Gateways	apim:environment_manage, apim:environment_read	Gateway manager
API categories	admin_operations	Category manager
KeyManagers	admin_operations	Keymanager admin
Tasks	apim:api_workflow_view, apim:api_workflow_approve, apim:tenantInfo ,apim:admin_settings	Workflow manager
Settings: Applications	apim:app_owner_change, apim:app_import_export, apim:admin_application_view	application manager
Settings: Scope Assignment	apim:scope_manage, apim:role_manage	scope manager

In case of the design, the user experience may be easy as follows.

Customers want to restrict admin users for the work-flow functionalities, they just assign admin users to internal/workflowManger roles. When an admin user logs to the admin portal, he/she can only see the tasks left side menu.

[hasuniea]

By considering the user experience and the maintainability, we discussed to go with an internal/manager role which is bound to most common user scenarios such as tasks and rate limiting policies. It is the default role which will go with the pack. Besides that, if someone wants to add other functionalities to it or else if the user wants to restrict only for one operation, he/she has to follow the doc and create custom roles and map related scopes to it.

[hasuniea]

We had a code review and asked to create a new constant file and put the necessary constants in there without adding it to the public accessible settings.js.

[hasuniea]

I created separate file and still the PR is in review

[hasuniea]

Please find the doc [1], PRs [2]
[1]. https://docs.google.com/document/d/1a4hrjD3VrPJ81BpN21-x1DX8y54pXXByqgqAVeVk6uA/edit?usp=sharing
[2]. i. Carbon-apimgt PR - wso2/carbon-apimgt#12135
ii. UI PR - wso2/apim-apps#492
iii Doc PR - wso2/docs-apim#6989

[chamilaadhi]

Additional Fixes
wso2/carbon-apimgt#12182
wso2/apim-apps#513

[chamilaadhi]

Integration test fixes
wso2/product-apim#13287
wso2/product-apim#13290

[chamilaadhi]

Remove invalid scopes wso2/apim-apps#514