Granular roles for VO Admins #1174
Description
Current VO Admin roles is too broad and it has been discussed that we should allow a more granular approach to support experiment/research community with diverse architecture.
For example an research administrator of a leaf community should be able to approve user because they know the researcher but should not be able to complete other admin task such as client management (client deletion, scope assignment etc.) as that is out of the scope of their role.
Also task such as client owner assigning other owner should be possible.
I believe that this should be doable after the new react dashboard.
Edit:
Based on the discussion at the hackathon, I proposed there should be the following roles:
- User management: Approving/rejecting Account registration, Disabling/Deleting account
- Root group management: Ability to create root group in IAM and assign Group manager of the root group
- Sub group management: Ability for manager for parent group to assign group manager to sub group and create sub group. (this should be integrated with the current group manager list)
- Client management: Client owner should be able to add or remove other client owner, should be integrated with the current client owner role
- Existing VO admin role: keep the same for IAM admin to maintain control.