support role

pcrespov · pcrespov · commit 5e47e58fd79f · 2025-09-05T11:49:03.000+02:00
diff --git a/services/web/server/src/simcore_service_webserver/security/_authz_access_roles.py b/services/web/server/src/simcore_service_webserver/security/_authz_access_roles.py
@@ -104,15 +104,20 @@ class PermissionDict(TypedDict, total=False):
         ],
         inherits=[UserRole.USER],
     ),
+    UserRole.PRODUCT_SUPPORT: PermissionDict(
+        can=[
+            "product.details.*",
+            "admin.users.read",
+        ],
+        inherits=[UserRole.TESTER],
+    ),
     UserRole.PRODUCT_OWNER: PermissionDict(
         # NOTE: Add `tags=["po"]` to entrypoints with this access requirements
         can=[
-            "product.details.*",
             "product.invitations.create",
-            "admin.users.read",
             "admin.users.write",
         ],
-        inherits=[UserRole.TESTER],
+        inherits=[UserRole.PRODUCT_SUPPORT],
     ),
     UserRole.ADMIN: PermissionDict(
         can=[
diff --git a/services/web/server/tests/unit/with_dbs/03/invitations/test_users_accounts_rest_registration.py b/services/web/server/tests/unit/with_dbs/03/invitations/test_users_accounts_rest_registration.py
@@ -97,6 +97,7 @@ async def mock_send_message(msg):
             for role in UserRole
             if role not in {UserRole.PRODUCT_OWNER, UserRole.ADMIN, UserRole.ANONYMOUS}
         ),
+        (UserRole.PRODUCT_SUPPORT, status.HTTP_200_OK),
         (UserRole.PRODUCT_OWNER, status.HTTP_200_OK),
         (UserRole.ADMIN, status.HTTP_200_OK),
     ],
