An administrator may create, edit, or delete a role via the roles and permissions section of the administration menu. See below user stories for specific types of roles that may be created and edited in CollectionSpace 1.0.
UI -> Service mapping
Access -> Read
Write -> Create, Read, Update
Delete -> Delete
Read Only -> Read, No Update, No Delete
Note: For Read-Only permissions, the App layer would have to render pages only after checking if the user also has Update and/or Delete permissions at the service layer. ReadOnly permission enforcement would require the following 3 permission enforcements in the App layer:
- Check if READ is allowed but also ...
- make sure UPDATE is not allowed AND
- make sure DELETE is not allowed
Dan has mentioned in the earlier STIM on this topic that, the app layer would perform its own access control check. Sanjay’s interpretation: when it comes to controlling the access on UI-owned resources such as pages, widgets, etc., the App layer would enforce additional access control.
Related User Stories:
- Admin can create a new role allowing no access, read, write, and delete at the record level
- Admin can create a new role allowing read or write at the field level
- Admin can edit an existing role
- Admin can delete a role