Permission management for users

[rettichschnidi]

Goal

As an enterprise users, I want to be able to grant the users of the webinterface different (minimal) capabilities, so that e.g. developers can not take down the whole fleet.

Ideas

• Users should be allowed to manage only a specific device
• Users should be limited in what devices they can observere

[b-rowan]

There are some rudimentary permissions already included, such as device.read and device.write. How would you suggest we go about adding per-device permissions? I thought about a tagging system for a while, but we kindof have hardware for that now.

Here are my ideas -

1. Specific permissions like device.{uuid}.[read|write|delete], which would require a backward incompatible change to device.*.[read|write|delete] from device.[read|write|delete]
2. Hardware based permissions for devices, so device.hardware.{hw_revision}.[read|write|delete]. Also backwards incompatible.
3. Both? device.uuid.{uuid}.[read|write|delete], device.hardware.{hw_revision}.[read|write|delete].

[rettichschnidi]

Wow, that was really fast. Before I can give you an answer I need to talk to @easybe and @tsagadar.