Roles and permissions
Configuring P4SaMD as Console extension with Single Sign-On allow us to integrate with Mia-Platform Console authentication and authorization flow and leverage Console user roles and permissions to control access to P4SaMD resources and operations users can perform.
In addition to inheriting Console roles and permissions, P4SaMD users have custom permissions giving more fine-grained control over what they can do inside P4SaMD. Currently, these permissions are assigned to users based on their Console roles.
By default, unless stated otherwise, all authenticated users have full read access to information available on P4SaMD.
Capabilities and permissions
The following table provides a comprehensive list of the capabilities and the corresponding permissions.
All permissions starting with console are inherited from the Console, while those starting with p4samd are custom permissions used only by P4SaMD.
| Capabilities | P4SaMD permission |
|---|---|
| Create Console project | console.company.project.create |
| Create Console microservice | console.company.project.service.repository.create |
| Update Console project configuration | console.company.project.configuration.update |
| Download documentation | p4samd.documentation.download |
| Create reference | p4samd.reference.create |
| Delete reference | p4samd.reference.delete |
| Update reference | p4samd.reference.update |
| Evaluate requirement with AI | p4samd.requirement.ai.evaluate |
| Approve SWI design | p4samd.software.item.approve |
| Revoke approval of SWI design | p4samd.software.item.approval.revoke |
| Create SWI design | p4samd.software.item.create |
| Delete SWI design | p4samd.software.item.delete |
| Link SWI to other entities | p4samd.software.item.link |
| Update SWI design | p4samd.software.item.update |
| Accept SWI vulnerability | p4samd.software.item.vulnerability.accept |
| Change software system settings | p4samd.software.system.settings.manage |
| Evaluate test with AI | p4samd.test.ai.evaluate |
| Run test suite | p4samd.test.suite.run |
| Delete test suite | p4samd.test.suite.delete |
This table provides the default list of the P4SaMD permissions granted to each Console role. Please contact directly Mia-Care for more info or customization.
| Permission | Guest | Reporter | Developer | Maintainer | Project Administrator | Company Owner |
|---|---|---|---|---|---|---|
console.company.project.create | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
console.company.project.service.repository.create | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
console.company.project.configuration.update | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
p4samd.documentation.download | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
p4samd.reference.create | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.reference.delete | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.reference.update | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.requirement.ai.evaluate | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.software.item.approve | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.software.item.approval.revoke | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.software.item.create | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
p4samd.software.item.delete | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.software.item.link | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
p4samd.software.item.update | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ |
p4samd.software.item.vulnerability.accept | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.software.system.settings.manage | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.test.ai.evaluate | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.test.suite.run | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
p4samd.test.suite.delete | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
Security policies
The Role-Based Access Control (RBAC) security policies are enforced in two different but complementary ways:
- Visual elements, like buttons and menus, allowing the user to perform a certain action are hidden if the user is missing the required permissions.
- API endpoints are protected with Rönd, a distributed security policy evaluation tool integrated natively with the Mia-Platform Console.
The association between roles and permissions is managed using Rönd roles.
The following sections provide details about the security policies enforced for each capability mentioned previously.
Download documentation
A user must have the p4samd.documentation.download permission to download any of the automatically generated reports, both on the Overview page and the Software items section.
Without the required permissions, the user cannot:
- access the reports section in the Overview page;
- download the SBOM of a system version in the Software Items section;
- download the history or changelog documentation of a software item in the Software Items table or drawer.
Create reference
A user must have the p4samd.reference.create permission to add a new reference in the References section.
Delete reference
A user must have the p4samd.reference.delete permission to delete an existing reference in the References section.
Update reference
A user must have the p4samd.reference.update permission to update an existing reference in the References section.
Evaluate requirement with AI
A user must have the p4samd.requirement.ai.evaluate permission to request a new AI-based evaluation of a requirement, which would overwrite any existing evaluation.
Without the required permissions, the user can see all the details about existing requirement evaluations, but cannot trigger a new evaluation from both the Requirements table and drawer.
Approve SWI design
A user must have the p4samd.software.item.approve permission to approve and revoke approval of a software item.
Without the required permissions, the user can see any approval metadata for an already approved software item and, if granted the p4samd.software.item.approval.revoke permission, can revoke the approval.
Revoke approval of SWI design
A user with the p4samd.software.item.approval.revoke permission can revoke the approval of an already-approved software item, but cannot approve a software item.
The approval requires the p4samd.software.item.approve permission (see previous section).
Create SWI design
A user with the p4samd.software.item.create permission can add a new software item design from the Software Items section.
Delete SWI design
A user with the p4samd.software.item.delete permission can delete an existing software item design from the Software Items table.
Link SWI to other entities
A user with the p4samd.software.item.link or p4samd.software.item.update permission can link any of the following P4SaMD entities to a software item:
Without any of these permissions, the user cannot link a change request, requirement, risk or tests from their respective section.
Update SWI design
A user with the p4samd.software.item.update permission can edit a software item design from the Software Items table or drawer.
With this permission, the user can also link a change request, requirement, risk or tests from the update modal or from the specific section of the related P4SaMD entity.
Accept SWI vulnerability
A user with the p4samd.software.item.vulnerability.accept permission can manage the vulnerability acceptance, including:
- accept a vulnerability;
- update vulnerability acceptance information;
- revoke vulnerability acceptance.
Without these permissions, the user can only view the vulnerabilities.
Change software system settings
A user must have the p4samd.software.system.settings.manage permission to change the system version settings.
Evaluate test with AI
A user must have the p4samd.test.ai.evaluate permission to request a new AI-based evaluation of a test, which would overwrite any existing evaluation.
Without the required permissions, the user can see all the details about existing test evaluations, but cannot trigger a new evaluation from both the Tests table and drawer.
Run test suite
A user must have the p4samd.test.suite.run permission to execute a test suite.
Without the required permissions, the user can see all the details about existing evaluations, but cannot trigger a new execution.
Delete test suite
A user must have the p4samd.test.suite.delete permission to delete a test suite.
Create Console project
This capability is enforced by the Console Rönd instance.
:::
A user must have the Console console.company.project.create permission to create a new Company project on the Console.
Without this permission, the user is not displayed the button on the Software Items table redirecting to the Console wizard to create a new project.
This permission is inherited from the Console roles and permissions.
Create Console microservice
This capability is enforced by the Console Rönd instance.
:::
A user must have the Console console.company.project.service.repository.create permission to add a new microservice with a dedicated repository.
Without this permission, the user is not displayed the button on the Software Items table redirecting to the Design > Microservices section of the Console project.
This permission is inherited from the Console roles and permissions.
Update Console project configuration
This capability is enforced by the Console Rönd instance.
:::
A user must have the Console console.company.project.configuration.update permission to make any changes to a Console project configuration from the Design section.
Without this permission, the user is not displayed the button on the Software Items table redirecting to the Design > Microservices section of the Console project.
This permission is inherited from the Console roles and permissions.