Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Groups API version for review #372

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Conversation

danielbass37
Copy link
Collaborator

Still missing diagram.
Might have some mistakes and require fixing the API code.
Please review.

Copy link

netlify bot commented Jun 21, 2024

Deploy Preview for permitio-docs ready!

Name Link
🔨 Latest commit 584f680
🔍 Latest deploy log https://app.netlify.com/sites/permitio-docs/deploys/668bc93b2182a80008974437
😎 Deploy Preview https://deploy-preview-372--permitio-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

## Key Features:

- **Create, Update, Delete, and List Groups:** The Groups API provides a comprehensive set of endpoints to manage the lifecycle of your groups, ensuring you have complete control over their configuration and membership.
- **User Membership:** When adding users to the group through the API, you can set them to automatically derive their permissions from the roles assigned to the group, ensuring consistent and manageable access control. See the [Groups Redoc](https://www.notion.so/) for more information.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't have "Upcoming feature" in the URL- that means the URL will break once that changes.
Use admonitions in the text instead

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maya-barak please fix the link before I push changes.

- **Users:** Creating a group of users allows you to assign an entire cluster of users with a single role (Instead of assigning roles to each user individually). You can set a role assigned to the group to be automatically assigned to all its members and revoked once their membership is removed.

:::info Example:
If we create a `marketing` group and assign a `marketing-team-member` role to it, we can give an entire group of users access to a shared marketing resource.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the 'marketing-team-member' role and 'marketing-resources' are not expressions that fit for what we wanted for this example, @orweis - your opinion?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's switch the resource to be (an external) document

Groups enable you to easily group together resources, resource-instances, and users. In addition groups simplify ReBAC permissions for users, by allowing roles to be assigned to the groups themselves.
You can assign roles to a group and then add users to the group through the Groups API.
The users within the group will derive roles form the roles assigned to the group .
The Groups API simplifies permission management for your resources and users by using groups. Groups can include resources, resource instances, and users, enabling you to set permissions for everything contained within a group at once.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Groups can include resources, resource instances..." - you can group resource types to set up the scheme of your app resources, later the permission will be managed on resource instances groups according the the scheme that was set on the type. so when saying "Groups can include resources, resource instances and users..." I think it communicates the wrong idea.

" enabling you to set permissions for everything contained within a group at once" - only relevant for user groups. I think it's confusing in the context of resource groups.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the first note: I agree. Changed to: "These can be used to group together resources, resource instances, or users,"

As for the second note, how's: "enabling you to set a unified permission scheme for everything contained within a group"? I need something that works for all three group types..

If we create a `marketing-resources` group, we can assign a role to a user (Or group of users!) that gives them permission to perform certain actions on all resources within the `marketing-resources` group.
:::

- **Resource Instances:** Grouping resource instances allows you to manage permissions for a group of specific resource instances collectively. As with resource groups, this ensures all resource instances within the group share the same permission configuration.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

continuing the comment from above, I think there is some misunderstanding around the resource group use case, would love to chat about this more

docs/api/rebac/groups.mdx Outdated Show resolved Hide resolved
- **Users:** Users: Including users in a group allows you to assign an entire cluster of users with a single role (Instead of assigning roles to each user individually).
You can set a role assigned to the group to be automatically assigned to all its members and revoked once their membership is removed.

:::info Example:
Copy link
Contributor

@orweis orweis Jul 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this an example ?

Comment on lines +31 to +35
:::info Example:
In our marketing group, we can create another group titled `social_media`. This group will contain resource instances of marketing materials. We can assign this newly created group the role of editor.
The Groups API allows you to create a derivation between the `social_media#editor` role and the `marketing#member` role - meaning all users with the `marketing#member` role will automatically be assigned
with the `social_media#editor` role.
:::
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're confusing giving an example of usage, and what would be created behind the scenes

The groups API doesn't "allows you to create a derivation" it does so for us automatically

Comment on lines +36 to +39
:::info Example:
New resources added to `social_media` will be accessible to edit by members of the marketing group, and new users added as members to the marketing group will automatically
have editor access to social media assets.
:::
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a new example - it's part of the previous one.
Not sure this needs to be an admonition at all

Co-authored-by: Or Weis <orweis@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants