Collection-specific user roles

Collection-Specific Roles

You may find yourself in a situation in which you'd like users to be assigned collection-specific roles. This article details the process of configuring Fusion security to allow for collection-specific user roles. 

In this example, I have configured 3 collections and 2 users. 

Collections:

  • test_collection
  • test2
  • collection3

Users:

  • test_user
  • test_search_user

 

The goal here is for the test_user to have admin access to collections whose names begin with "test", such as the "test_collection" and "test2" collections. The test_search_user should only have search access on collections which begin with "test". This user should not be able to do anything beyond search those specific collections. No user should be able to access "collection3" in any capacity since it does not begin with "test". 

 Setting up Permissions

In the case of the test_user, I create a role called "test_role" with the following configuration:

Permissions:

GET:/configurations
GET,PUT:/prefs/apps/search/{id}:id=test*
GET:/connectors/**
GET,PUT:/usage/counters/
GET:/query-pipelines/*/collections/{id}/select:id=test*
GET:/collections/query-profiles
GET:/collections
GET:/solr/schema
GET:/collections/{id}:id=test*
PATCH:/users/{id}:id=#ID
GET:/query-pipelines/collections/select
GET:/solr/*/admin/luke

Pay close attention to the lines with id=test*, this is the specification which allows these permissions to apply to collections beginning with "test".  Also note that this user can have all UI permissions since we'd like the user to have admin-like access for these collections. 

In the case of the test_search_user, I create a role called "test_search_role" with the following configuration:

Permissions:

GET:/query-pipelines/*/collections/{id}/select:id=test*
GET:/query-pipelines
GET:/solr/*/schema
GET:/prefs/apps/search/*
GET:/collections/{id}:id=test*
GET:/solr/*/admin/luke

Note that this user only has access to the "search" and "collections" UI permissions. 

 Setting up the User

Once you've configured each of these roles, you'll create the users using their respective roles.

Here is the configuration for the test_user:

 

And here is the configuration for the test_search_user:

 

 

When configured properly, this should be the admin user's home view of the Fusion UI:

This should be the test_user's view of the Fusion UI:


This user has full access to test2 and test_collection.

This should be the test_search_user's view of the Fusion UI:

This user cannot see any collection stats, but can query the test collections via the query-pipeline. 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk