Permission Group: admin screen/s

[davidwatkins73]

• Create involvement groups
• Create permission groups
• Add apps to permission group
• Add involvements to involvement group

[davidwatkins73]

Some doc on permissions in general:

title: Permissions {
  near: top-center
  shape: text
  style: {
    font-size: 40
    bold: false
    underline: false
  }
}

cg: Coarse Grained {
  u: user
  r: role
  ur: user role
  u <- ur
  r <- ur

  explanation: |md
    ## Coarse Grained

    - Granted to specific users
    - Applies to all entities

    Example:

    Users with the _Flow Admin_ role can update any flow
  |
}

fg: Fine Grained {
  explanation: |md

      ## Fine Grained

      - Defines permissions in terms of involvement
      - Involvements tie people to specific entities

    Example

    Only _Asset Owners_ can update _Functions_

  |

  pg: permission group
  ig: involvement group
  i: involvement
  ik: involvement kind
  pers: person
  ref: entity

  pg -> ig
  ig -> i
  pers <- i
  ik <- i
  ref <- i
}

[davidwatkins73]

Query for viewing the current set of fine grained permissions:

select pg.name, pg.external_id, pg.id,
       pgi.parent_kind, pgi.subject_kind,
       pgi.qualifier_kind, pgi.qualifier_id, coalesce(mc.name, ad.name, null),
       pgi.operation,
       ig.name, ig.id, ig.external_id,
       ik.name, ik.external_id, ik.id
from involvement_group ig
inner join permission_group_involvement pgi on ig.id = pgi.involvement_group_id
inner join involvement_group_entry ige on ig.id = ige.involvement_group_id
inner join involvement_kind ik on ik.id = ige.involvement_kind_id
inner join permission_group pg on pg.id = pgi.permission_group_id
left join measurable_category mc on pgi.qualifier_id = mc.id and pgi.qualifier_kind = 'MEASURABLE_CATEGORY'
left join assessment_definition ad on pgi.qualifier_id = ad.id and pgi.qualifier_kind = 'ASSESSMENT_DEFINITION'
;

Things to note:

• This doesn't bring back the entity level overrides if the permission group (pg) is not the default
  • that should probably be handled by a new query
• Assuming the only qualifier entities are assessments and measurables
  • Remember qualifiers are optional, hence the left joins on mc and ad