Assign Multiple Roles to a User #4959
Replies: 19 comments 48 replies
-
We already have permission merging, so I think this is more of a question around UI for showing that combined permission super-set. I may be wrong though. |
Beta Was this translation helpful? Give feedback.
-
Would be a great feature... otherwise permissions will be very difficult to handle in the future. |
Beta Was this translation helpful? Give feedback.
-
I was thinking about this discussion and start thinking something around this... What about joining the permissions, to create one single role and keep the role as a virtual role, so basically when is queried it will be querying the virtual role. I guess that one issue would be how to select custom permissions which one would be accepted and which one would be overwritten. |
Beta Was this translation helpful? Give feedback.
-
I would like to see this discussed more as well, as it is very tedious to set up permissions right now based on roles. For example, say you have 10 different roles and 6 of them need read access to a certain collection with custom write permissions. I would have to go into each role and make sure I cope those custom permissions to each role. If I could assign multiple roles, I could create one role with those custom permissions and just assign it to the users. Instead of roles being Many to One, they could be Many to Many. The only issues I foresee is conflicting permissions. |
Beta Was this translation helpful? Give feedback.
-
Hey guys, I know that this is a highly complex topic... And I have no personal preference on implementation. I like the template approach of @connorsimply, however, depending on the number of templates available, there may be a corresponding number of permutations, which are then stored as roles. This could become confusing for the user of the app. However, I also understand very well that a change of the API is expensive. I think I would prefer the |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
This is the exactly same situation i'm facing now! it would be so helpful to have the possibility of combining roles :/ |
Beta Was this translation helpful? Give feedback.
-
For such an amazing platform, I simply couldn't believe that there was no way to make permissions somewhat DRY (at least with a simple hierarchy), and I was even more shocked to find that public permissions did not apply automatically to literally every other role (what is the use case for this?). So I forked it and fixed it (in my opinion). It is VERY lightly tested at the moment, but it works for my needs, so maybe it will help others. You can see what I changed in the commit. I definitely don't recommend using this in production as whatever Directus eventually does will probably cause it to break, but I wanted to prove to myself that it is actually very easy to hack a simple workaround. It uses knex.withRecursive, and I don't know that this works for sure on every database available (but it does work on Postgresql). It also requires a fresh install as it includes a parent_role field in the base setup and not as a migration (I am not familiar with the correct process for submitting changes, and this was mainly done for my own needs). |
Beta Was this translation helpful? Give feedback.
-
This would solve a big problem for my use case aswell. I have multiple teams that have access to different collections but a user can be in multiple teams at the same time. Right now the only solution seems to be to have a single shared user per team, which is less than ideal. |
Beta Was this translation helpful? Give feedback.
-
Any news here @rijkvanzanten? Is there anything the community can help with? |
Beta Was this translation helpful? Give feedback.
-
Heya! Thanks for opening this feature request! This feature request has received over 15 votes from the community. This means we'll move this feature request to the Under Review state! The Core team will schedule a meeting to review this request as soon as possible. The discussion will then be approved or denied. You may or may not be invited to join this meeting with the core team. For more information, see our Feature Request Process. |
Beta Was this translation helpful? Give feedback.
-
I would also like to share my thoughts. I believe Casbin is an excellent permission management library. Its official website has an editor where you can see how many permission control models work. I think it's a great reference. |
Beta Was this translation helpful? Give feedback.
-
When we're going over to the implementation of this, lets take #19129 into account for the UX piece |
Beta Was this translation helpful? Give feedback.
-
I think the present state is depressing. It is clear that many site have a hierarchy of users: normal user and so on. It is also clear that in most scenarios you want that moderators have the rights of all users in the list above. the easiest way to do this would be to assign all three roles to moderarator. |
Beta Was this translation helpful? Give feedback.
-
I also need this feature, else users need to create multiple accounts, |
Beta Was this translation helpful? Give feedback.
-
Hi all! I started putting together a more formal RFC document of how I think we should implement this. Please do let me know any and all comments you might have! The more feedback we collect, the better we can make sure this will work for everybody involved 🙂 |
Beta Was this translation helpful? Give feedback.
-
We just discovered this behavior because we assigned one of our administrators a role that we are testing permissions for. That user lost all administrative access because the new role only has a few permissions, and we did not realize that a user can only have a single role (and their previous role was administrative).
|
Beta Was this translation helpful? Give feedback.
-
What is the schedule for this feature? Last year I saw it on the roadmap but now the roadmap disappeared.. My company pays a license and it would help us dramatically when we could assign multiple roles. Can you just give a update about the timeline? in 1w, 6mo, never,... |
Beta Was this translation helpful? Give feedback.
-
I believe the ability of assigning users to multiple roles instead of current only one is beneficial for different types of projects but also for good GraphQL security.
As of right now, if I give a directus_user read permissions to their own First_Name, Last_Name, and the Password fields, along with the filter
{"owner": {"_eq": "$CURRENT_USER"}}
, then they can see their own data. But if I create a Post Object with fields "Author" {ref:directus_user} and "description" {string:text}, then I can never read the First_Name and Last_Name of author because of the pre-existing filter blocks me, even though I should.The opposite way to look at it: I have a Post Object with "Author" {ref:directus_user} and "description" {string:text}, with read access enabled for directus_user's "First_Name" and "Last_Name" only. Now, I can see all of the posts from the other Authors, but as a directus user, I can't read my own private data field ie Location, Language, etc.
I'm guessing this could be fix by making a One(User)-to-Many(Roles) relationship in the Directus DB, but each query needs to check permissions against each role assigned to that user.
Beta Was this translation helpful? Give feedback.
All reactions