Need more information on DeveloperRole

#1

I am trying to get more information on what permissions are given to users who are a member of DeveloperGroup (which provides DeveloperRole).

This is what I have been able to gather so far from the documentation in static/console: help > documentation > in depth:

{
"id" : "DeveloperRole",
"permissions" : [
"deny:*:cluster-admin:",
"deny:*:user-admin:",
"allow:*::*"
],
"actionConditions" : [
"Member::*:(1==1)"
]
}

However, the above is described as “an example” and I am unable to determine if this remains accurate for the tenant/tag deployed in the current version of our platform (7.7.6).

I have been getting permissions information via Role.allPermissions(…). For example:

c3Grid(Role.allPermissions(Role.get("UserAdminRole")))
c3Grid(Role.allPermissions(Role.get("ClusterAdminRole")))

However, I am unable to do the same for:

c3Grid(Role.allPermissions(Role.get("DeveloperRole")))

The response I get is error 400 / Bad Request.

Further, when I try to look at all roles to try and find DeveloperRole with:

c3Grid(Role.fetch())

I see a listing of many roles, but DeveloperRole is not there – which is probably part of the problem.

I understand that DeveloperRole is probably “special”. So here is the root of my questions

  1. I need to have some definitive list of permissions/capabilities that someone who is granted this role will have

  2. I need to know if those access privileges are correct for v7.7.6.

  3. I would like to know if I’m interpreting the above “sample” correctly (assuming it remains unchanged for 7.7.6) – that a user granted DeveloperRole is only explicitly denied cluster-admin and user-admin actionGroup capabilities – but otherwise can access ANY data and perform ANY action

Please provide answers to the above 3 questions or direct me to some documentation.

Thanks

Paul

0 Likes

#2

In 7.7, DeveloperRole was moved from apps to Platform. In order to retrieve platform roles you should use the seed() API, e.g. Role.seed(“DeveloperRole”). The DeveloperRole definition is much more complex than the example provided in Access Control documentation (source of the above example).

Role.seed(“DeveloperRole”)[0].permissions will return the list of permissions.

Your interpretation of the permission is correct. DeveloperRole explicitly denies members of this group access to APIs in the cluster-admin and user-admin ActionGroup.

1 Like