Make role-assignments possible to prioritize

Welcome to the community, Jakob Nøtseth 🙂!

I know I've been bit in the butt a time or two (or more 😞) by conflicting permissions.
I'm not sure about the current logic for deciding the "winning" permission, but I'm guessing it has something to do with the "Role ID" or some other backend field.

Obviously, in a perfect world, we would only assign one role per user, but with Groups, it's possible that someone could get inadvertently assigned multiple permissions.

Maybe if we add a priority field to the roles (similar to a Firewall Rule) so that it's clear which permissions should take priority will help with this?

(Excuse my rough mock-up)

In reality, you could be assigned a lot of different roles, and your result should have been determined at runtime to be the sum of your access.

But, before you have that in place, atleast giving us the ability to say which role would win in each case needs to be implemented. Something like the priority above, or even just the sorting. Making sure the superadmin role is always top priority, and then all the way down to helpdesk and sales.

And - if directly assigned - that should trumph any group-assignments.

Thanks, Jakob.
Those are some great insights!

I like the concept (Direct Assignment > Group Assignment), however, if there are multiple direct assignments, that could be problematic. Maybe the priority or sorting you mentioned will work?
It could prove to be more complicated when our Product Team goes to implement this idea. 🤔

 

Like stated initially - this is hotfixing - patching properly would be a full ACL where you combine access to your total access