More role permission granularity

Shatz
Shatz Member
edited August 2023 in Governance & Security Ideas

There needs to be more granularity around the permissions that can be assigned to roles - specifically regarding the permission grants offered for Role and User management. There needs to be alternatives to the current 'all-or-nothing' options of 'Manage all roles' and 'Manage all users' permissions.

I created a custom role with limited admin access. I need this role to be able to assign new and existing users to roles other than Participant. With the options currently available, they cannot do this unless I assign them to the Privileged role (which lacks other permissions they need and would only allow them to assign new users to other roles) or I grant them full access to role administration ('Manage all roles'). However, granting them 'Manage all roles' would grant them far too much access, including the ability to elevate their own permissions or remove mine. They also need to be able to edit attributes of existing users, but that is only currently allowed by the ‘Manage all users’. Again, this grants the user far more permission than they should have, including the ability to delete Admin users.

There needs to be a way to define a hierarchy among the roles (which includes Custom Roles). Then, an ‘Assign Roles’ permission (that has no access to create, edit, or delete roles) needs to be created that allows users assigned to that permission to manage role assignments within the following restrictions:

-The ‘Assign Roles’ user can only change role assignments for users currently assigned to a role less than or equal to the ‘Assign Roles’ user’s role. This prevents them from removing permissions from a user with more elevated access.

-The ‘Assign Roles’ user can only assign users to a role less than or equal to the ‘Assign Roles’ user’s role. This prevents them from elevating their own access.

My proposal regarding permissions for ‘Manage all users’ is very similar whereby a limited ‘Manage Users’ permission would be created that allowed users with this permission to Edit users and reset passwords for those users whose role is less than or equal to the ‘Manage Users’ role. I could even see a need to making the 'Reset user password' into a standalone permission.

Tagged:
6
6 votes

In Review · Last Updated

We're working on some roles governance capabilities similar to those described here. There's also the idea of similar capabilities for user attributes. I can see how more granularity in user management capabilities would be helpful here.

Comments

  • DanBrinton
    DanBrinton Domo Product Manager

    Hi, @Shatz - thanks for posting your idea here!

    Really, I see a couple of different ideas:

    1. Allow a "people-manager" sub-admin-type user to assign roles to other users without giving them the ability to assign any role. So, you'd need governance around which roles are assignable by those sub-admin users.
    2. Allow a "people-manager" sub-admin-type user to set user attributes without giving all the abilities that come with the "Manage all users" grant. Presumably, you'd want similar governance as with roles: maybe limit which attributes are configurable by those sub-admin users.

    Thanks again for taking the time to share your use case and your ideas for future improvements!

  • I'm suuuuuuuuper interested in this, @DanBrinton! My customers' companies each have their own Domo subscriber instance. We have their role default to a "read-only" custom role, but some of the users at each customer need our limited "editor" custom role. I'd love to create a "customer admin" role that allows the "admin" at each customer to switch their users between the read-only and editor roles. Currently they have to contact our Support team to have anyone's role changed, which is annoying for them and additional work for our team. I volunteer as tribute if you need beta testers. :)