directus/directus

Users inherit permissions from Multiple Groups

benhaynes asked for this feature over 1 year ago — 3 comments

benhaynes commented over 1 year ago Admin

From wittwerch: https://github.com/wittwerch

In Directus a user can be assigned to one group. For simple use cases this fits well, but as soon as you start to build a larger system you have the need to assign multiple roles (aka groups) to a user.

Proposal

We therefore propose extend Directus to support multiple groups per user.

Multi group select

Introduce a new join table directususersgroups and replace the dropdown with a multi select element in the user profile page.

Table level permissions

If a user in multiple groups with different table level permissions, we can easily merge both permissions to the highest level. It is possible in all cases like Add/Edit/View/Delete/Column Read Blacklist/Column Write Blacklist.

IP Whitelist

If a user persist in multiple groups, we can merge the ip addresses of the whitelist of both groups and then display according to that.

Nav Blacklist

If a user persist in multiple groups, we can merge Nav Blacklist of both groups and then display according to that

Nav Override

The navigation override could be challenging. The question is how do we merge these entries when they conflict. Maybe the order of the groups assigned to a user could define how we merge.


Thank you for drafting this up @wittwerch – everything but the nav override makes sense to me. Is this just a general feature request or is this something that you are interested in submitting a PR for? I see this change as an improvement – but one that would likely take some time and would almost certainly introduce many tangential changes/bugs.

I'll try to start compiling a list of Group related things here:

Send Messages: You can send messages to groups – no problem (conceptually) here though User Directory: Shows your group overlaying the avatar – not a big deal, but this would have to change I'll try to think of others...

| alangv commented about 1 year ago

Adding this feature is the only way for use Directus in larger systems. And it is necessary for me ;-)

| BenMakesGames commented 12 months ago

I'd also like this feature. I'm looking for a headless or decoupled CMS for work, and we sell subscriptions for various products; we need to support users with all kinds of combinations of access levels, for example user A might subscribe to product X, while user B subscribes to X, Y, and Z, while user C subscribers to X and Z, etc. I've only started looking into Directus today, and it looks really cool, but we definitely need more flexibility in a permissions system.

Join the discussion!

Sign-in with GitHub to comment