How do you create new permissions in the admin?
how do I create a new permission and use it in the admin?
During development, adding new permissions is something you'd achieve with direct SQL inserts.
Let's assume we want to add a new permission with a permission root called
PAYMENTand add it to our
FULL_ACCESSrole. By default, Broadleaf has a role called
FULL_ACCESSwith a role ID of -2.
We would typically have several permutations of this permission (hence calling it a permission root, and not a permission) for different operations such as:
READ_PAYMENT UPDATE_PAYMENT CREATE_PAYMENT DELETE_PAYMENT ALL_PAYMENT
However, for most purposes, we really only need to define two:
ALL_PAYMENTallows full access to the resource, and
READ_PAYMENTshould be self-explanatory.
We start by inserting the permissions into the
INSERT INTO blc_user_permission (id,"name",last_updated) VALUES ('readPayment','READ_PAYMENT','2020-06-01 15:45:44.030') ('allPayment', 'ALL_PAYMENT', '2020-06-01 15:45:44.030');
Then, we add a scope. The scope should be the name of the permission root (
PAYMENTin this case):
INSERT INTO blc_security_scope (id,"name","open") VALUES ('PAYMENT_SCOPE', 'PAYMENT', 'N');
Now, we'll add the
ALL_PAYMENTpermission to the
INSERT INTO blc_role_permission_xref (role_id,permission_id) VALUES ('-2', 'allPayment');
Finally, we'll add the permission scope and tie it to the security scope:
INSERT INTO blc_permission_scope (id,"permission",is_permission_root,scope_id) VALUES ('paymentScope', 'PAYMENT', 'Y', 'PAYMENT_SCOPE');
In short, the steps generally are:
1. Add the new permission(s)
2. Add the security scope for the permission
3. Assign the permission(s) to one or more roles
4. Add a permission scope and tie it to the security scope
Since we've added this permission manually, there's one more step. Typically, user roles and permissions are synced from the AdminUser service over to the Auth service. Since we're manually inserting into the Auth tables, we need to do the same for the equivalent AdminUser tables. There's less to do here since we only need to add the newly created permissions and add them to the FULL_ACCESS role.
INSERT INTO adminuser.blc_admin_permission (id, name, tenant_id) values ('readPayment','READ_PAYMENT', null) ('allPayment', 'ALL_PAYMENT', null); INSERT INTO adminuser.blc_admin_role_admin_permission_xref (admin_role_id, admin_permission_id) values ('-2', 'allPayment');
Note: that you can also perform this process directly from the admin, then just export your changes as SQL inserts. Navigate to the tenant level admin, go to the security section, and select "Permissions" and add your permission. Then, select "Roles" add the newly created permissions to any applicable roles.