To authenticate Admin Users we are going to use an OAuth2 provider. Currently this is an Authentik instance hosted under https://auth.mooslechner.dev/ But our apps should be set up in a way that it should be trivial to swap this out for another provider, should we need to.

The Admin Interface should be protected by a sign in page, to not allow everyone to alter our datasets that will be used in the Dashboard. There should be a distinction between ‘viewer’ and ‘editor’ users. Currently they are assigned the roles ‘tech-atlas-viewer’ and ‘tech-atlas-editor’. The ‘viewer’ role should only enable a user to view existing pipelines, datasets and configurations. The ‘editor’ role should entitle the user to create/start/modify/delete these objects.

By default new users should be assigned the ‘viewer’ role. There should be an invitation link for this: https://auth.mooslechner.dev/if/flow/tech-atlas-invitation/?itoken=a8daeb8a-e3ce-425c-a225-4f1d8f51f555

The Dashboard should still be publicly accessible without any sign in needed. The entire Dashboard micro-service should only get read-only rights for our database.