Multi-tenant authorization
- Jim Wilson
Terms/Legend
Admin: user assigned to the admin role
BC: business context
BIE owner: the user specified as a BIE's owner
manage [x]: create, edit, or delete [x]
manage context: manage BCs, context categories, or context schemes (including context category values)
←→: association
: no user (not even admins)
oP: User action is applicable to an on-prem instance (just a visual cue)
mt: User action is applicable to a multi-tenant instance (just a visual cue)
Authorization table
The authorization indicated in the “On-prem instance” column reflect Score’s current (pre-multi-tenant) behavior.
| 1 |
| Authorizations | |
| 2 | On-prem instance | Multi-tenant instance | |
| 3 | Manage user oPmt | Admin | Admin |
| 4 | Manage tenant mt | Admin | |
| 5 | Manage user←→tenant mt | Admin | |
| 6 | Manage BC←→tenant mt | Admin | |
| 7 | Create BIE oPmt | Any user1 | Any user associated with a tenant2,3 |
| 8 | Manage BC←→BIE oPmt | BIE owner3 | BIE owner2,3 |
| 9 | Manage context oPmt | Any user | Admin |
| 10 | Transfer ownership of BIE oPmt | BIE owner | BIE owner5 |
| 11 | Manage modules oP | Any user | |
| 12 | Manage Core Components4 oP | Developer | |
| 13 | Make BIE reusable oP | BIE owner | |
| 14 | Create ABIE extension locally oP | BIE owner | |
| 15 | Create ABIE extension globally oP | BIE owner | |
1All BCs are available to the user.
2The BCs available to the user are limited by their tenancy. Users not associated with a tenant cannot create a BIE since they would not be able to assign a BC on BIE creation (all the BCs would all be filtered out). However, it would make sense to alert the user, perhaps on login, that they can’t do anything useful in Score until they have been assigned to a tenant.
3Note that Admins have no special authorization in this case.
4To be precise, Developer can manage CCs in Working Branch but end user cannot. End user can manage end-user CCs in Released Branch.
5Users to whom the BIE ownership may be transferred are limited to users associated with tenants associated with BCs associated with the BIE (other than the current owner — doesn’t make sense for an owner to transfer ownership to themself).