Nikola, a front end developer here at Cycloid, tells us what led to our recent shake up of Roles & Policies, why what we had could be improved, and how we went about improving it.
Until recently, our Roles and Policies system used a one-to-one relation. What does it mean? It means that the user was able to assign only 1 policy for 1 entity without any link or hierarchy between those entities.
Why was that a problem?
The user had to give access to the project but also specify access to each pipeline belonging to that project. That wasn't a big deal for small projects, but as complexity increases, it becomes really cumbersome to scale and maintain. Another issue was that we were not able to create flexible complex custom user roles.
How did we overcome it?
To solve the problem, we had to replace what we had with a new technology that we developed using REGO OPA (open policy agent). It provided us with scalability and opened the door for cool features we have already introduced and others that are planned for the future. One of those features is the ability to use globing. This eliminates the need to specify each resource or action and allows you to simply write policy like organization:**, which grants access to perform all actions under all resources.
How does it look now?
Now an organization can create highly flexible complex custom roles and even achieve role grouping by creating various roles and assigning them to a team. If we need to be more specific, the role can be created using system-defined actions and resources or/and with manually created actions. From a technical point of view, we now have clear ground and solid foundations for developing all the features we've planned for Roles & Policies - permissions scoping, enhanced globing and even greater flexibility.
Roles & Policies - the future
Our goal is to achieve a fully customizable and scalable solution that will enable enterprise customers to handle access to their resources. For example, as an admin user, I would like to give access to Project B and all its child entities by using globing and scoped permissions, avoiding the need to add permissions for each action on the entity manually.
One possible way of achieving this would be by the user creating a role that contains permissions to perform all actions on a specific project: