6.0 KiB
6.0 KiB
Intro
Roles will be split into two categories: System Roles and Organizations Roles. System roles are global and apply to the entire system, while Organizations roles are specific to individual Organizations.
System Roles
System roles are global and apply to the entire system. They include:
- System Super Admin: Has full access to all system features and settings. Can manage users, projects, organizations and applications. (SI)
- System Admin: Has access to most system features and settings. Can manage users, organizations, applications authorizations by projects. (BE)
- System User: Has limited access to system features and settings. Can view projects and applications, can manage own information, and organization where they are admin. (Others)
System Super Admin
Get Access to the following with the following authorisations:
- Users: READ, CREATE, UPDATE, DELETE
- Projects: READ, CREATE, UPDATE, DELETE
- Organizations: READ, CREATE, UPDATE, DELETE
- Applications: READ, UPDATE
System Admin
Get Access to the following with the following authorisations:
- Users: READ, CREATE, UPDATE, DELETE
- Organizations: READ, UPDATE
- Applications: READ
System User
Get Access to the following with the following authorisations:
- Users: READ, UPDATE (own information only), READ (organization where they are admin), CREATE ( organization where they are admin), UPDATE (organization where they are admin), DELETE (organization where they are admin)
- Projects: READ ( of organization they are part of)
- Organizations: READ
- Applications: READ
Organizations Roles
Organizations roles are specific to individual Organizations. They include:
- Organization Admin: Has full access to all organization features and settings. Can manage users of the organizations.
- Organization User: Has limited access to organization features and settings. Can view projects and applications, can manage own information
Set up
Like for the sso, we need to create roles in the system. create the following command and the create the roles.
#[AsCommand(
name: 'app:create-role',
description: 'Creates a new role in the database'
)]
class CreateRoleCommand extends Command
{
private EntityManagerInterface $entityManager;
public function __construct(EntityManagerInterface $entityManager)
{
parent::__construct();
$this->entityManager = $entityManager;
}
protected function configure(): void
{
$this
->addArgument('name', InputArgument::REQUIRED, 'The name of the role'); // role name required
}
protected function execute(InputInterface $input, OutputInterface $output): int
{
$roleName = trim($input->getArgument('name'));
$roleName = strtoupper($roleName); // Normalize to uppercase
// Ensure not empty
if ($roleName === '') {
$output->writeln('<error>The role name cannot be empty</error>');
return Command::FAILURE;
}
// Check if role already exists
$existing = $this->entityManager->getRepository(Roles::class)
->findOneBy(['name' => $roleName]);
if ($existing) {
$output->writeln("<comment>Role '{$roleName}' already exists.</comment>");
return Command::SUCCESS; // not failure, just redundant
}
// Create and persist new role
$role = new Roles();
$role->setName($roleName);
$this->entityManager->persist($role);
$this->entityManager->flush();
$output->writeln("<info>Role '{$roleName}' created successfully!</info>");
return Command::SUCCESS;
}
}
#[AsCommand(
name: 'app:delete-role',
description: 'Deletes a role from the database'
)]
class DeleteRoleCommand extends Command
{
private EntityManagerInterface $entityManager;
public function __construct(EntityManagerInterface $entityManager)
{
parent::__construct();
$this->entityManager = $entityManager;
}
protected function configure(): void
{
$this
->addArgument('name', InputArgument::REQUIRED, 'The name of the role to delete');
}
protected function execute(InputInterface $input, OutputInterface $output): int
{
$roleName = trim($input->getArgument('name'));
$roleName = strtoupper($roleName); // Normalize to uppercase
if ($roleName === '') {
$output->writeln('<error>The role name cannot be empty</error>');
return Command::FAILURE;
}
// Find the role
$role = $this->entityManager->getRepository(Roles::class)
->findOneBy(['name' => $roleName]);
if (!$role) {
$output->writeln("<error>Role '{$roleName}' not found.</error>");
return Command::FAILURE;
}
// Check if role is being used (optional safety check)
$usageCount = $this->entityManager->getRepository(\App\Entity\UsersOrganizations::class)
->count(['role' => $role]);
if ($usageCount > 0) {
$output->writeln("<error>Cannot delete role '{$roleName}' - it is assigned to {$usageCount} user(s).</error>");
$output->writeln('<comment>Remove all assignments first, then try again.</comment>');
return Command::FAILURE;
}
// Confirmation prompt
$helper = $this->getHelper('question');
$question = new ConfirmationQuestion(
"Are you sure you want to delete role '{$roleName}'? [y/N] ",
false
);
if (!$helper->ask($input, $output, $question)) {
$output->writeln('<comment>Operation cancelled.</comment>');
return Command::SUCCESS;
}
// Delete the role
$this->entityManager->remove($role);
$this->entityManager->flush();
$output->writeln("<info>Role '{$roleName}' deleted successfully!</info>");
return Command::SUCCESS;
}
}
php bin/console app:create-role USER
php bin/console app:create-role ADMIN