change: [UIE-9942] - IAM - Replace view_account with fine-grained permissions (#13262)

* save progress

* remaining instances

* cleanup and tests

Author: abailly-akamai

packages/api-v4/src/iam/types.ts

@@ -97,9 +97,12 @@ export type AccountAdmin =
   | 'list_default_firewalls'
   | 'list_delegate_users'
   | 'list_enrolled_beta_programs'
+  | 'list_entities'
+  | 'list_role_permissions'
   | 'list_service_transfers'
   | 'list_user_delegate_accounts'
   | 'list_user_grants'
+  | 'list_user_permissions'
   | 'revoke_profile_app'
   | 'revoke_profile_device'
   | 'send_profile_phone_number_verification_code'
@@ -254,8 +257,11 @@ export type AccountViewer =
   | 'list_available_services'
   | 'list_default_firewalls'
   | 'list_enrolled_beta_programs'
+  | 'list_entities'
+  | 'list_role_permissions'
   | 'list_service_transfers'
   | 'list_user_grants'
+  | 'list_user_permissions'
   | 'view_account'
   | 'view_account_login'
   | 'view_account_settings'

packages/manager/src/features/IAM/Roles/Roles.test.tsx

@@ -59,8 +59,7 @@ describe('RolesLanding', () => {
     const mockPermissions = accountRolesFactory.build();
     queryMocks.usePermissions.mockReturnValue({
       data: {
-        view_account: true,
-        is_account_admin: true,
+        list_role_permissions: true,
       },
     });
     queryMocks.useAccountRoles.mockReturnValue({
@@ -76,8 +75,7 @@ describe('RolesLanding', () => {
   it('should show an error message if user does not have permissions', () => {
     queryMocks.usePermissions.mockReturnValue({
       data: {
-        view_account: false,
-        is_account_admin: false,
+        list_role_permissions: false,
       },
     });
 
@@ -90,8 +88,7 @@ describe('RolesLanding', () => {
   it('should not show the default roles panel for non-child accounts', () => {
     queryMocks.usePermissions.mockReturnValue({
       data: {
-        view_account: true,
-        is_account_admin: true,
+        list_role_permissions: true,
       },
     });
     queryMocks.useProfile.mockReturnValue({ data: { user_type: 'parent' } });
@@ -109,8 +106,7 @@ describe('RolesLanding', () => {
   it('should show the default roles panel for child accounts', () => {
     queryMocks.usePermissions.mockReturnValue({
       data: {
-        view_account: true,
-        is_account_admin: true,
+        list_role_permissions: true,
       },
     });
     queryMocks.useProfile.mockReturnValue({ data: { user_type: 'child' } });

packages/manager/src/features/IAM/Roles/Roles.tsx

@@ -13,10 +13,10 @@ import { DefaultRolesPanel } from './Defaults/DefaultRolesPanel';
 export const RolesLanding = () => {
   const { data: permissions, isLoading: isPermissionsLoading } = usePermissions(
     'account',
-    ['view_account', 'is_account_admin']
+    ['list_role_permissions']
   );
   const { data: accountRoles, isLoading } = useAccountRoles(
-    permissions?.view_account
+    permissions?.list_role_permissions
   );
   const { isIAMDelegationEnabled } = useIsIAMDelegationEnabled();
   const { isChildAccount, isProfileLoading } = useDelegationRole();
@@ -33,7 +33,7 @@ export const RolesLanding = () => {
     return <CircleProgress />;
   }
 
-  if (!(permissions?.view_account || permissions?.is_account_admin)) {
+  if (!permissions?.list_role_permissions) {
     return (
       <Notice variant="error">You do not have permission to view roles.</Notice>
     );

packages/manager/src/features/IAM/Shared/AssignedEntitiesTable/AssignedEntitiesTable.tsx

@@ -60,6 +60,7 @@ export const AssignedEntitiesTable = ({ username }: Props) => {
   const { data: permissions } = usePermissions('account', [
     'is_account_admin',
     'update_default_delegate_access',
+    'list_entities',
   ]);
 
   const { isDefaultDelegationRolesForChildAccount } =
@@ -106,7 +107,9 @@ export const AssignedEntitiesTable = ({ username }: Props) => {
     data: entities,
     error: entitiesError,
     isLoading: entitiesLoading,
-  } = useAllAccountEntities({});
+  } = useAllAccountEntities({
+    enabled: permissions?.list_entities,
+  });
 
   const {
     data: assignedUserRoles,

packages/manager/src/features/IAM/Users/UserDetails/UserProfile.tsx

@@ -20,30 +20,27 @@ import { UsernamePanel } from './UsernamePanel';
 export const UserProfile = () => {
   const { username } = useParams({ from: '/iam/users/$username' });
   const { data: permissions } = usePermissions('account', [
-    'is_account_admin',
-    'view_account',
+    'view_user',
+    'update_user',
+    'delete_user',
+    'list_user_permissions',
   ]);
 
-  const isAccountAdmin = permissions?.is_account_admin;
-
   const {
     data: user,
     error,
     isLoading,
-  } = useAccountUser(
-    username ?? '',
-    isAccountAdmin || permissions?.view_account
-  );
+  } = useAccountUser(username ?? '', permissions?.view_user);
   const { data: assignedRoles } = useUserRoles(
     username ?? '',
-    isAccountAdmin || permissions?.view_account
+    permissions?.list_user_permissions
   );
 
   if (isLoading) {
     return <CircleProgress />;
   }
 
-  if (!(isAccountAdmin || permissions?.view_account)) {
+  if (!permissions?.view_user || !permissions?.list_user_permissions) {
     return (
       <Notice variant="error">
         You do not have permission to view this user&apos;s details.
@@ -67,9 +64,15 @@ export const UserProfile = () => {
         sx={(theme) => ({ marginTop: theme.tokens.spacing.S16 })}
       >
         <UserDetailsPanel activeUser={user} assignedRoles={assignedRoles} />
-        <UsernamePanel activeUser={user} canUpdateUser={isAccountAdmin} />
+        <UsernamePanel
+          activeUser={user}
+          canUpdateUser={permissions?.update_user}
+        />
         <UserEmailPanel activeUser={user} />
-        <DeleteUserPanel activeUser={user} canDeleteUser={isAccountAdmin} />
+        <DeleteUserPanel
+          activeUser={user}
+          canDeleteUser={permissions?.delete_user}
+        />
       </Stack>
     </>
   );

packages/manager/src/features/IAM/Users/UserEntities/UserEntities.test.tsx

@@ -74,7 +74,7 @@ describe('UserEntities', () => {
     });
     queryMocks.usePermissions.mockReturnValue({
       data: {
-        is_account_admin: true,
+        list_entities: true,
       },
     });
   });
@@ -155,8 +155,9 @@ describe('UserEntities', () => {
   it('should not render if user does not have permissions', () => {
     queryMocks.usePermissions.mockReturnValue({
       data: {
-        is_account_admin: false,
-        view_account: false,
+        list_entities: false,
+        view_user: false,
+        list_role_permissions: false,
       },
     });
 

packages/manager/src/features/IAM/Users/UserEntities/UserEntities.tsx

@@ -24,22 +24,17 @@ export const UserEntities = () => {
   const theme = useTheme();
   const { username } = useParams({ from: '/iam/users/$username' });
   const { data: permissions } = usePermissions('account', [
-    'is_account_admin',
-    'view_account',
+    'view_user',
+    'list_entities',
+    'list_user_permissions',
   ]);
   const {
     data: assignedRoles,
     isLoading,
     error: assignedRolesError,
-  } = useUserRoles(
-    username ?? '',
-    permissions?.is_account_admin || permissions?.view_account
-  );
+  } = useUserRoles(username ?? '', permissions?.list_user_permissions);
 
-  const { error } = useAccountUser(
-    username ?? '',
-    permissions?.is_account_admin || permissions?.view_account
-  );
+  const { error } = useAccountUser(username ?? '', permissions?.view_user);
 
   const hasAssignedRoles = assignedRoles
     ? assignedRoles.entity_access.length > 0
@@ -49,7 +44,7 @@ export const UserEntities = () => {
     return <CircleProgress />;
   }
 
-  if (!(permissions?.is_account_admin || permissions?.view_account)) {
+  if (!permissions?.list_entities) {
     return (
       <Notice variant="error">
         You do not have permission to view this user&apos;s entities.

packages/manager/src/features/IAM/Users/UserRoles/UserRoles.test.tsx

@@ -73,7 +73,7 @@ describe('UserRoles', () => {
     });
     queryMocks.usePermissions.mockReturnValue({
       data: {
-        is_account_admin: true,
+        view_user: true,
       },
     });
   });

packages/manager/src/features/IAM/Users/UserRoles/UserRoles.tsx

@@ -24,23 +24,18 @@ export const UserRoles = () => {
   const { username } = useParams({ from: '/iam/users/$username' });
   const { data: permissions } = usePermissions('account', [
     'is_account_admin',
-    'view_account',
+    'view_user',
+    'list_user_permissions',
   ]);
   const theme = useTheme();
 
   const {
     data: assignedRoles,
     isLoading,
     error: assignedRolesError,
-  } = useUserRoles(
-    username ?? '',
-    permissions?.is_account_admin || permissions?.view_account
-  );
+  } = useUserRoles(username ?? '', permissions?.list_user_permissions);
 
-  const { error } = useAccountUser(
-    username ?? '',
-    permissions?.is_account_admin || permissions?.view_account
-  );
+  const { error } = useAccountUser(username ?? '', permissions?.view_user);
 
   const hasAssignedRoles = assignedRoles
     ? assignedRoles.account_access.length > 0 ||
@@ -51,7 +46,7 @@ export const UserRoles = () => {
     return <CircleProgress />;
   }
 
-  if (!(permissions?.is_account_admin || permissions?.view_account)) {
+  if (!permissions?.view_user) {
     return (
       <Notice variant="error">
         You do not have permission to view this user&apos;s roles.

packages/manager/src/features/IAM/Users/UsersTable/UserRow.tsx

@@ -30,11 +30,11 @@ export const UserRow = ({ onDelete, user }: Props) => {
   const { data: permissions } = usePermissions('account', [
     'delete_user',
     'is_account_admin',
-    'view_account',
+    'view_user',
   ]);
 
   const { isIAMDelegationEnabled } = useIsIAMDelegationEnabled();
-  const canViewUser = permissions.view_account;
+  const canViewUser = permissions.view_user;
 
   // Determine if the current user is a child account with isIAMDelegationEnabled enabled
   // If so, we need to show the 'User type' column in the table