diff --git a/ocis/README.md b/ocis/README.md index 108af945a..5f5ab2f53 100644 --- a/ocis/README.md +++ b/ocis/README.md @@ -100,3 +100,38 @@ This command provides additional options: * `--dry-run` (default: `true`)\ Do not remove any empty folders but print the empty folders that would be removed. + +### List Unified Roles + +This command simplifies the process of finding out which UID belongs to which role. The command is: + +```bash +ocis graph list-unified-roles +``` + +The output of this command includes the following information for each role: + +* `uid`\ + The unique identifier of the role. +* `Description`\ + A short description of the role. +* `Enabled`\ + Whether the role is enabled or not. +* `Condition` +* `Allowed Resource Action` + +**Example output (shortned)** + +```bash ++--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+ +| UID | ENABLED | DESCRIPTION | CONDITION | ALLOWED RESOURCE ACTIONS | ++--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+ +| a8d5fe5e-96e3-418d-825b-534dbdf22b99 | enabled | View and download. | exists @Resource.Root | libre.graph/driveItem/path/read | +| | | | | libre.graph/driveItem/quota/read | +| | | | | libre.graph/driveItem/content/read | +| | | | | libre.graph/driveItem/permissions/read | +| | | | | libre.graph/driveItem/children/read | +| | | | | libre.graph/driveItem/deleted/read | +| | | | | libre.graph/driveItem/basic/read | ++--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+ +``` diff --git a/services/graph/README.md b/services/graph/README.md index f711ff06b..e47937b7d 100644 --- a/services/graph/README.md +++ b/services/graph/README.md @@ -89,3 +89,64 @@ which is the source of the texts provided by the code. ## Default Language The default language can be defined via the `OCIS_DEFAULT_LANGUAGE` environment variable. See the `settings` service for a detailed description. + +## Unified Role Management + +Unified Roles are roles granted a user for sharing and can be enabled or disabled. A CLI command is provided to list existing roles and their state among other data. + +{{< hint info >}} +Note that a disabled role does not lose previously assigned permissions. It only means that the role is not available for new assignments. +{{< /hint >}} + +The following roles are **enabled** by default: + +- `UnifiedRoleViewerID` +- `UnifiedRoleSpaceViewer` +- `UnifiedRoleEditor` +- `UnifiedRoleSpaceEditor` +- `UnifiedRoleFileEditor` +- `UnifiedRoleEditorLite` +- `UnifiedRoleManager` + +The following role is **disabled** by default: + +- `UnifiedRoleSecureViewer` + +To enable disabled roles like the `UnifiedRoleSecureViewer`, you must provide the UID(s) by one of the following methods: + +- Using the `GRAPH_AVAILABLE_ROLES` environment variable. +- Setting the `available_roles` configuration value. + +The following CLI command simplifies the process of finding out which UID belongs to which role: + +```bash +ocis graph list-unified-roles +``` + +The output of this command includes the following information for each role: + +* `UID`\ + The unique identifier of the role. +* `Enabled`\ + Whether the role is enabled or not. +* `Description`\ + A short description of the role. +* `Condition` +* `Allowed resource actions` + +**Example output (shortned)** + +```bash ++--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+ +| UID | ENABLED | DESCRIPTION | CONDITION | ALLOWED RESOURCE ACTIONS | ++--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+ +| a8d5fe5e-96e3-418d-825b-534dbdf22b99 | enabled | View and download. | exists @Resource.Root | libre.graph/driveItem/path/read | +| | | | | libre.graph/driveItem/quota/read | +| | | | | libre.graph/driveItem/content/read | +| | | | | libre.graph/driveItem/permissions/read | +| | | | | libre.graph/driveItem/children/read | +| | | | | libre.graph/driveItem/deleted/read | +| | | | | libre.graph/driveItem/basic/read | ++--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+ +``` + diff --git a/services/graph/pkg/config/unified_roles.go b/services/graph/pkg/config/unified_roles.go index 08a1f8434..0919e4d5f 100644 --- a/services/graph/pkg/config/unified_roles.go +++ b/services/graph/pkg/config/unified_roles.go @@ -2,5 +2,5 @@ package config // UnifiedRoles contains all settings related to unified roles. type UnifiedRoles struct { - AvailableRoles []string `yaml:"available_roles" env:"GRAPH_AVAILABLE_ROLES" desc:"A list of roles that are available for assignment." introductionVersion:"%%NEXT%%"` + AvailableRoles []string `yaml:"available_roles" env:"GRAPH_AVAILABLE_ROLES" desc:"A comma separated list of roles that are available for assignment." introductionVersion:"%%NEXT%%"` }