Custom Application: Query User Group for current user? (For permission handling)

[cb-adesso]

Hello there :-)

I was wondering if someone from developer team can help us with suggestion or some guidance. Any tips and suggestions are appreciated. Thanks!

Our client requested fine-grained permission system for the custom app we build. The custom application contains multiple views/pages and should only be used by specific user groups. We are currently only checking 'ViewProducts' as generic access permission test. After consulting the ct permission docs we concluded that, we can't create our own permissions like 'ViewCustomAuditLog', 'ViewCustomOrderHandling', 'ViewCustomDataExport' ...

Is this conclusion correct?
What is a proper way to implement this requirement?

We're currently thinking about dirty workarounds e.g. using naming convention in user group names and stuff like this. (If user X is member of group AuditLog show audit log in custom application.)

The idea was inspired by inspecting some GraphQL calls. 'FetchLoggedInUser' in particular is interesting one, but return type 'User' misses any user group information.

POST https://mc-api.europe-west1.gcp.commercetools.com/graphql
x-graphql-target: mc
x-graphql-operation-name: FetchLoggedInUser
...
{
    "operationName":"FetchLoggedInUser",
    "variables":{},
    "query":"query FetchLoggedInUser { user: me { id firstName lastName email __typename}}"
}

Best Regards,

Chris

[mmaltsev-ct]

Hello @cb-adesso,

thank you for creating a discussion regarding this topic!

At the moment, our new "Organization-level" Custom Applications don't support such granular permissions. Permissions like ViewProducts shouldn't be used as well, as these were used only in our legacy setup. So currently, only ViewCustomApp and ManageCustomApp permissions are available for a given Custom Application.

We understand that this is essential functionality for our users, so we're planning to introduce granular permissions for Custom Applications as soon as possible. We have just finalized the RFC for this feature and will start the development soon. You can follow this issue to get updates regarding the development progress.

On a side note, could you share with us your timeline, so that we could help you with a temporary solution in case you cannot wait for the granular permissions to be officially introduced?

[cb-adesso]

Hi @mmaltsev-ct,

about timeline, the implementation of permission management was original scheduled for September 2022. And we assumed that we could finalize user acceptance tests around mid of September 2022. We assume there is not much time buffer for any delays on customer side. But depending on availability of "need to be able to create additional scopes #2649" a postponing may be possible.

Can you guesstimate when "need to be able to create additional scopes #2649" will hit development? Or any sort of ETA? We may be able to convince our client, when delay is not too large.

Update: I got feedback that our client require a fast solution (99% confidence). Maxim, can provide "temporary solution"?

[mmaltsev-ct]

Hey @cb-adesso could you write an email to address please? I'll schedule a call with someone from our engineering team to go through your use-case.

[cb-adesso]

To sum up the discussion. There will be proper feature for scopes and permission in custom app is planed. Rough ETA Q4/2022 perhaps Q1/2022. Official announcement, see CT partner newsletter.

For the @mmaltsev-ct showed us a workaround to bridge the time until feature is released.

Thank you!