To authenticate Admin Users we are going to use an OAuth2 provider. Currently this is an Authentik instance hosted under https://auth.mooslechner.dev/ But our apps should be set up in a way that it should be trivial to swap this out for another provider, should we need to.
By default new users should be assigned the ‘viewer’ role. There should be an invitation link for this: https://auth.mooslechner.dev/if/flow/tech-atlas-invitation/?itoken=a8daeb8a-e3ce-425c-a225-4f1d8f51f555
The Admin Interface should be protected by a sign in page, to not allow everyone to alter our datasets that will be used in the Dashboard. There should be a distinction between ‘viewer’ and ‘editor’ users. Currently they are assigned the roles ‘tech-atlas-viewer’ and ‘tech-atlas-editor’. The ‘viewer’ role should only enable a user to view existing pipelines, datasets and configurations. The ‘editor’ role should entitle the user to create/start/modify/delete these objects.
The Dashboard should still be publicly accessible without any sign in needed. The entire Dashboard micro-service should only get read-only rights for our database.