Access Control Implementation

Owned by Toby Page
Mar 01, 2021
2 min read

Implementation

Access control is quite simple in this application due to the small number of user types.

There is no concept of individual permissions, instead a backend user is assigned to one or more roles:

  • Service Worker

  • Service Admin

  • Organisation Admin

  • Global Admin

  • Super Admin

The action the user is intending to make will be authorised against the user's role.

Example:

If a user is trying to update a service's information, the system will check if that user is a Service Admin for that service.

It's important to note that the system will not check if the user is a Organisation Admin for this example. To keep the ACL implementation as simple as possible, the system will only check the minimum requirement for the user.

Abstracted away from the exposed API, the Organisation Admins will always have assigned roles making them also a Service Worker and Service Admin for every service within the organisation.

Roles Assigned to Organisation or Services

With exception of the Global Admin role, each user roles is tied to a specific organisation or service. This allows for a more fine grained ACL meaning a user can be a Service Admin for one service, but only a Service Worker for another. Refer to the diagram below for a visual representation:

Roles

To see what actions require which role, consult the API docs.

Service Worker

This is someone who works for the service and can view/update referrals for the service. This role will be given to a SPA (Single Point of Access).

Service Admin

This is someone who is allowed to update the service details. They are given the Service Worker role for the same Service.

Organisation Admin

This is someone who is allowed to update the organisation details. They are given the Service Worker and Service Admin roles for all the services within the Organisations.

Global Admin

Someone who is responsible for the day-to-day management of the platform. They are given the Service WorkerService Admin and Organisation Admin roles for all Services/Organisations.

Super Admin

Intended for someone who occasionally needs to manage important system settings, such as updating the set of taxonomies. They are given the Global AdminService WorkerService Admin and Organisation Admin roles for all Services/Organisations.