Assign Multiple Roles to a User

[dvanmali]

I believe the ability of assigning users to multiple roles instead of current only one is beneficial for different types of projects but also for good GraphQL security.

As of right now, if I give a directus_user read permissions to their own First_Name, Last_Name, and the Password fields, along with the filter {"owner": {"_eq": "$CURRENT_USER"}}, then they can see their own data. But if I create a Post Object with fields "Author" {ref:directus_user} and "description" {string:text}, then I can never read the First_Name and Last_Name of author because of the pre-existing filter blocks me, even though I should.

The opposite way to look at it: I have a Post Object with "Author" {ref:directus_user} and "description" {string:text}, with read access enabled for directus_user's "First_Name" and "Last_Name" only. Now, I can see all of the posts from the other Authors, but as a directus user, I can't read my own private data field ie Location, Language, etc.

---

I'm guessing this could be fix by making a One(User)-to-Many(Roles) relationship in the Directus DB, but each query needs to check permissions against each role assigned to that user.

[benhaynes]

We already have permission merging, so I think this is more of a question around UI for showing that combined permission super-set. I may be wrong though.

[rijkvanzanten]

We already have permission merging

To clarify, internally for use with app-access. There is no permissions merging between roles at the time of writing 👍🏻

[vanling]

Would this also make it possible to "extend" permissions, for example, so that a new role also inherits the permissions of the public role? When creating a role for a user who then logs into the website/app, I often have to replicate all the permissions that I previously set for the public role.

It's not exactly the same, but it would be something like assiging "public" and "app_user" to the user, where the "app_user" role would extend/override the permissions of the "public" role with some additional rules..

Edit: just read the policies thing below =D that would also make above more feasable

[rijkvanzanten]

"Extending" I think is the primary goal of multiple roles / the policies idea 🙂 The ability to say "You have 'public' access and 'editor' access and 'file-admin' access"

[ernst86913]

Would be a great feature... otherwise permissions will be very difficult to handle in the future.

[juancarlosjr97]

I was thinking about this discussion and start thinking something around this... What about joining the permissions, to create one single role and keep the role as a virtual role, so basically when is queried it will be querying the virtual role. I guess that one issue would be how to select custom permissions which one would be accepted and which one would be overwritten.

[connorwinston]

I would like to see this discussed more as well, as it is very tedious to set up permissions right now based on roles. For example, say you have 10 different roles and 6 of them need read access to a certain collection with custom write permissions. I would have to go into each role and make sure I cope those custom permissions to each role. If I could assign multiple roles, I could create one role with those custom permissions and just assign it to the users.

Instead of roles being Many to One, they could be Many to Many. The only issues I foresee is conflicting permissions.

[rijkvanzanten]

I'm not too familiar with how roles are handled throughout the core, but I assumed it would require a fair few changes to make Directus play nice with multi-role

If we merge the roles early on in the process using the _or strategy, the rest of the API will stay the same 🤔

Multi-role would also be a breaking change.

Should be fairly straightforward to write a migration to move the role data in a new junction table. A recursive role would also require a migration (add the new parent role column), so I think it's roughly the same workload

[aidenfoxx]

I meant it's a breaking change for the /users API. With multi-role, all user roles would be in the junction table, so you'd have to do a join in the users API requests to get the roles. I guess you could do some funny re-mapping as part of the API to keep it more consistent (you'd still be returning an array of roles rather than a string), but that just feels bad!

Recursive roles isn't breaking because the user still only has one role. It just so happens that the users role inherits the permissions of a parent role.

[rijkvanzanten]

Ohh like that, yeah that's true. But with that in mind, that's also why we're having this discussion now pre-v9.0.0 production release 🙂

[aidenfoxx]

Of course. But it's still good to know our options, and if we can get the same functionality in a different way then it's always good to take it into consideration. 😄

[connorwinston]

Another solution which would keep singular roles per user, would be to have permission "templates" and you can assign multiple permission templates to a role. So you can re-use custom permissions or field permissions, and then apply those to multiple roles. Then for conflicting permission templates, just use the _or strategy like mentioned above?

For example.

Permision A:

• Read access to own articles
• Update own Articles
• Can Create new Articles

Permission B:

• Can delete Article

Roles:
Trusted Author: ["A","B"]
Author : ["A"]

[eXsiLe95]

Hey guys,
I did not want to disturb the technical discussion. Is there any news on the subject? Or did I miss the decision anywhere?

I know that this is a highly complex topic... And I have no personal preference on implementation. I like the template approach of @connorsimply, however, depending on the number of templates available, there may be a corresponding number of permutations, which are then stored as roles. This could become confusing for the user of the app.

However, I also understand very well that a change of the API is expensive. I think I would prefer the _or strategy in merging role permissions, mentioned by @rijkvanzanten.

[benhaynes]

Happy to see this get a ping... would love to dive in formally, but we have a lot of Sponsored work occupying the Core Team at the moment. I'd like to see a formal RFC, PR, Sponsoring here... but it is a big one!

[linus1703]

@benhaynes Any updates by now? :)

[benhaynes]

No, it's a big update... so it will likely take it being sponsored to break ground.

[linus1703]

While waiting for this feature I figured out a workaround I'd like to share:

1. Create a data model profiles (or whatever)
2. Create the fields you want to be public or read by other users and create the one to many relationship to the directus_users table
   
3. Set up a flow that triggers an action on creating a new user
   
4. Set up a "create data" action like shown in the image, that creates a new profile and assigns the user
   
5. Enable permissions for the directus_users to be only read by the logged-in user and the profiles table by public or whoever.

Hope this helps at least some people. I figured it out the hard way in a few hours (but learned something new about Directus Flows :) )

[GustavoBlaze]

This is the exactly same situation i'm facing now! it would be so helpful to have the possibility of combining roles :/

[lusid]

For such an amazing platform, I simply couldn't believe that there was no way to make permissions somewhat DRY (at least with a simple hierarchy), and I was even more shocked to find that public permissions did not apply automatically to literally every other role (what is the use case for this?). So I forked it and fixed it (in my opinion). It is VERY lightly tested at the moment, but it works for my needs, so maybe it will help others. You can see what I changed in the commit.

I definitely don't recommend using this in production as whatever Directus eventually does will probably cause it to break, but I wanted to prove to myself that it is actually very easy to hack a simple workaround. It uses knex.withRecursive, and I don't know that this works for sure on every database available (but it does work on Postgresql). It also requires a fresh install as it includes a parent_role field in the base setup and not as a migration (I am not familiar with the correct process for submitting changes, and this was mainly done for my own needs).

main...lusid:directus:with-role-hierarchy

[rijkvanzanten]

shocked to find that public permissions did not apply automatically to literally every other role (what is the use case for this?)

The public role controls what permissions are available for unauthenticated (public) users. That is a very different context from roles in-app 👍🏻

Also regarding ease of implementation: The difficulty doesn't really come from the API side of the equation. Your solution relying on mergePermissions with an or is exactly how I would implement it too 🙂 The main difficulty is actually in how to present it in-app. We have to think through how the user would actually configure these roles efficiently, and how to keep track of what permissions are configured where. Do we just make a m2m for users->roles, and then figure out some special view so you can see "all permissions for this particular user"? What if you wanted to override custom permissions for just that user, is that a new role? You'll quickly end up with a policy based access control paradigm rather than a role-based access control paradigm (which is not a bad thing!) but that comes with a totally different way of configuring and nesting permission sets 🙂

[lusid]

The public role controls what permissions are available for unauthenticated (public) users. That is a very different context from roles in-app 👍🏻

I understand what you are saying here, but what is the use case for a situation where a user with a role and app access should have to log out of the website completely first before being able to do the things that an anonymous, public user can do? 😄 It doesn't really make sense, and just means that every role you create in the system, you have to duplicate the effort of bringing in the minimal requirements of the public role.

Also regarding ease of implementation: The difficulty doesn't really come from the API side of the equation. Your solution relying on mergePermissions with an or is exactly how I would implement it too 🙂 The main difficulty is actually in how to present it in-app. We have to think through how the user would actually configure these roles efficiently, and how to keep track of what permissions are configured where. Do we just make a m2m for users->roles, and then figure out some special view so you can see "all permissions for this particular user"? What if you wanted to override custom permissions for just that user, is that a new role? You'll quickly end up with a policy based access control paradigm rather than a role-based access control paradigm (which is not a bad thing!) but that comes with a totally different way of configuring and nesting permission sets 🙂

I agree with everything you are saying here, except I personally need the functionality far more than I need a pretty GUI to handle it. In my opinion, having policy based permissions is extremely important, not just a nice to have, but then again, I'm trying to use Directus to replace backend development work of a complicated application, not just building a simple blog, and I know different people have different needs. But honestly, I've solved this for myself simply by allowing a user with elevated permissions to impersonate roles to test access levels (using https://github.com/u12206050/directus-extension-role-chooser to change their own roles temporarily). This would be even better if impersonation was also integrated into the base system and didn't require toggling a user's actual role (since workflow could rely on that data).

But I digress. I look forward to seeing whatever is done to manage this issue, as it is really the only thing I feel Directus is really missing at this moment to make it a really useful tool. And hopefully, supporting multiple roles won't end up behind a paywall.

[malmz]

This would solve a big problem for my use case aswell. I have multiple teams that have access to different collections but a user can be in multiple teams at the same time. Right now the only solution seems to be to have a single shared user per team, which is less than ideal.

[diegoleme]

Any news here @rijkvanzanten? Is there anything the community can help with?

[ChuckMoe]

@rijkvanzanten With the policy system, you would stay with the current one user, one role system though, right? Otherwise, I don't see how it helps in presenting this compact in-app, if you would have to distinguish which policy comes from which role.
I was still thinking about having multiple roles as a user and implementing the policy system at the same time. But you are thinking about staying with the current one user, one role system but moving to a policy based system, right? I am all for that idea!

[rijkvanzanten]

But you are thinking about staying with the current one user, one role system but moving to a policy based system, right? I am all for that idea!

Yeah exactly! I feel like the goal of the feature request is to be able to "compose" permissions sets by combining different sets of permissions. Right now, permissions are tied to a role, and thus you get a "Oh we need multiple roles". Bit of an XY problem 🙂 I think this policies approach might solve the original problem, and then unlock some additional functionality (like setting additional permissions for a single user, or creating tokens that don't have to be scoped to a role)

[adanielyan]

With the polices approach, will the permissions be assigned to polices, and then polices to roles, or will the permissions be assigned to roles and also to polices which are then added to roles and extend the role permissions?

[adanielyan]

Also will it be possible for a user to have no roles but only one or multiple assigned polices?

[rijkvanzanten]

With the polices approach, will the permissions be assigned to polices, and then polices to roles, or will the permissions be assigned to roles and also to polices which are then added to roles and extend the role permissions?

My current thinking is that permissions will be assigned to policies, and you would then assign one or more policies to a role, and/or one or more policies to a user.

Also will it be possible for a user to have no roles but only one or multiple assigned polices?

Yes! You could have a user without a role, and then assign some policies to give them permissions to certain parts of the API 👍🏻

(These are just some R&D thoughts I'm having at the moment, but nothing is set in stone yet 🙂 )

[rijkvanzanten]

Heya! Thanks for opening this feature request!

This feature request has received over 15 votes from the community. This means we'll move this feature request to the Under Review state!

The Core team will schedule a meeting to review this request as soon as possible. The discussion will then be approved or denied. You may or may not be invited to join this meeting with the core team.

For more information, see our Feature Request Process.

[luochuanyuewu]

I would also like to share my thoughts. I believe Casbin is an excellent permission management library. Its official website has an editor where you can see how many permission control models work. I think it's a great reference.
https://casbin.org/editor

[falmanna]

Casbin is great, but Directus already has a built in RBAC implementation. They just need to extend it to support multiple roles.
We did implement a custom auth hook to add support for multi role. Working nicely so far. It is just not very admin UI friendly.

[jofmi]

If you have an implementation that works from a technical side, could the admin UI part not simply be an M2M field for User-Roles?

[falmanna]

@jofmi exactly, it is a M2M field on the user, but when you switch to the roles tab, you will see these roles as empty. Besides that, you will need to assign a separate role as the original directus role. We used a separate role to force the requestor to specify which role they are authorizing against.

[donnysim]

So if one role has a collection filter of created by and another role has filter of assigned to, which wins? In many cases the preferred outcome is to have them merged to show both cases in the list.

[falmanna]

@donnysim in my case the requester has to send a header the claimed role. The default assigned role has no permissoins to do anything. This forces the user to specify a role in every request.
Not the cleanest, but working well.

[rijkvanzanten]

When we're going over to the implementation of this, lets take #19129 into account for the UX piece

[rijkvanzanten]

Also similarly, lets think through how it might affect #19085 if at all

[WolfgangWenzel]

I think the present state is depressing. It is clear that many site have a hierarchy of users:

normal user
privileged user
moderator
admin

and so on. It is also clear that in most scenarios you want that moderators have the rights of all users in the list above. the easiest way to do this would be to assign all three roles to moderarator.

[vitalijalbu]

I also need this feature, else users need to create multiple accounts,
But they have only 1 email…👀👀

[rijkvanzanten]

Hi all! I started putting together a more formal RFC document of how I think we should implement this. Please do let me know any and all comments you might have! The more feedback we collect, the better we can make sure this will work for everybody involved 🙂

[jofmi]

This looks fantastic! Since this is such a popular request, would it make sense to organize some community funding for this feature?

[surfmuggle]

A sample to illustrate

permissions should be organized in Policies. Each Policy holds permission-rules to one or more collections for one or more actions (create/read/etc).

could be helpfull. I understood this

Policy	permission-rules	collections	actions
1	imdb-editor	movies,actors	create, read, update
2	imdb-admin	movies,actors	create, read, update, delete
3	anonymous user	movies,actors	read
4	known user	trivia	read, create, update

A single person could have assigned multiple policies to them.

User	policies
Ben	3,4
Nick Burns	1,2,4

Is this what is meant with the quote above?

[rijkvanzanten]

That's correct 👍🏻

[emahuni]

Whilst this is going on and probably in the same logic but not related to this discussion, may you please think about how modules bar and other sections of the APP (eg: activity or notifications etc) can have configurable permissions. This is a real pain point. See #20975, please vote for it as it is simple to implement but needs attention now as the roles and permissions section is about to change.

[nicksergeant]

We just discovered this behavior because we assigned one of our administrators a role that we are testing permissions for. That user lost all administrative access because the new role only has a few permissions, and we did not realize that a user can only have a single role (and their previous role was administrative).

1. It might be nice to add a very loud warning when assigning a role to a user that any other assigned role will completely disappear.
2. And maybe an even louder warning for ☝️ if the user currently has the Administrator role.

[jbeckton]

[benhaynes]

I understand the frustration of hitting a wall, but I'd rather see constructive product feedback here instead of blaming a marketing line. This feature request is currently the highest priority for us, but it's extremely tricky and nuanced. We won't release something half-baked, so please be patient while we work through it.

[renet]

I'm not able to offer any sponsoring at the moment. But is it possible to support the progress of this some other way?

Also as a UX improvement, adding a warning when assigning a user that already has a role assigned to a different role would probably prevent what @nicksergeant is describing. If that would be a quick thing to develop, and the multiple roles feature is still pretty far away, it might be worth it?

[rokdd]

What is the schedule for this feature? Last year I saw it on the roadmap but now the roadmap disappeared.. My company pays a license and it would help us dramatically when we could assign multiple roles. Can you just give a update about the timeline? in 1w, 6mo, never,...

[rijkvanzanten]

I'm starting on it next week, keep an eye on https://github.com/orgs/directus/projects/13/views/37?sliceBy%5Bvalue%5D=Project+Aditus 🚀 It's a big undertaking, so prob a month or two realistically

[matthiaskrieft]

I'm getting: "That view no longer exists" on that link. Is special access needed?

[paescuj]

We've reorganized the project views, the new link is: https://github.com/orgs/directus/projects/13/views/42?sliceBy%5Bvalue%5D=Auditus

[jacob-israel-turner]

@rijkvanzanten thanks for working on this! I'm really excited to see this permissions rework land.

One suggestion I'd make is to also allow multiple roles to be assigned to a bookmark. Right now, a bookmark can be global or assigned to just a single role. That means I have to create a new bookmark for every single role that I want to grant access to.

Good luck!