Access Control in control center
A member of a group can have a particular admin role that defines what he sees and can access in the control center.
Note that this access control is currently only checked on the frontend
and only partially in the firebase database. Access control on the database is still being moved from the isAdmin field of the person to the system described here. This
means that while some admin users might only be able to see and manage
some particular things in control center, they might still be able to read
and write to other locations in the database if they have some development
skills.
In firebase on the location /accessControl/roles/{groupId}/{adminRoleId},
you can define the permissions a particular role has (or not) in control center.
Do this by setting the name of the permission to either true or false.
When a particular action is not defined for a particular group, the default
for that role is used, which is defined in /accessControl/roles/default/{adminRoleId}.
For example, the content of /accessControl/roles can look like this:
{
"default": {
"admin": {
"billingAccounts:view": true,
"billingAccounts:edit": true,
...
}
},
"tmf": {
"admin": {
"persons:group_memberships:tmf": true,
"persons:group_memberships:team": true,
...
}
}
}
This is a list of currently used permissions:
- adminRole:edit user can assign admin roles
- archive:view user can view a list of archived items
- archive:edit user can unarchive archived items
- billingAccounts:create user can create billing accounts for groups or persons
- billingAcccounts:view user can view a list of billing accounts
- billingAcccounts:edit user can edit billing accounts
- carConfigs:create user can create new car configs
- carConfigs:view user can view a list of car configs
- carConfigs:edit user can edit car configs
- carConfigs:delete user can archive car configs
- carConfigs:swap user can swap car configs
- cars:create user can create new cars
- cars:view user can view a list of cars
- cars:edit user can edit cars
- cars:delete user can archive cars
- cars:control user can control (lock/unlock doors etc.) cars
- configs:view user can view the configurations' content
- configs:edit
- dashboard:view user can view the configured grafana dashboard
- dasboard:edit user can edit the grafana dashboard configuration
- fleet:view user can view a fleet map of cars
- groups:create user can create new subgroups which will be
- groups:view user can view a list of groups
- groups:edit user can edit subgroups
- groups:delete user can archive subgroups
- groups:members:export user can export a list of all group members
- orders:view user can view a list of orders for shops
- persons:create user can create new persons which will be
- persons:view user can view a list of persons
- persons:edit user can edit persons
- persons:delete user can archive persons
- persons:group_memberships:{groupId} user can control membership of persons to {groupId}
- places:create user can create new zones which will be
- places:view user can view a list of zones
- places:edit user can edit zones
- places:delete user can archive zones
- reservations:edit user can edit reservations for persons that are
- reservations:export user can export a list of reservations done by persons
- resourceSets:view user can view a list of templates
- resourceSets:edit user can edit templates
- shops:view user can view a list of shops
- shops:edit user can edit shops
- shops:stripe:edit user can edit stripe details for shops
Each object in firebase in billingAccounts, carConfigs, cars, carModels, places, resourceSets, groups, shops and persons
should also contain a field ownerGroup, that defines which group admin members can view or
edit this object. For example, a car with ownerGroup equal to tmf is editable by a user
which has the admin role admin in his tmf group membership and the field
/accessControl/roles/cvba/admin/cars:edit is set to true (or is not set and
/accessControl/roles/default/admin/cars:edit is true).