Use Case & User Stories: Admin: Effective Permissions View¶
| Use Case ID: | UC-08 |
| Use Case Name: | Inspect a User's Effective Permissions |
| Feature: | Admin: Effective Permissions View |
| Actors: | System Administrator (Primary) |
1. Use Case Description¶
This use case describes the process by which an authorized System Administrator uses a read-only diagnostic tool to inspect the complete, calculated set of permissions for any given user. The administrator selects a user and accesses a dedicated view that clearly lists the user's group memberships, all inherited roles, and the final, de-duplicated list of their effective permissions. This feature is crucial for troubleshooting access-related issues, auditing user rights, and validating the configuration of the access control model.
2. User Stories¶
-
US-31: Troubleshoot User Access Issues
As a System Administrator, I want to view a user's final, calculated set of permissions in a clear, alphabetized list, so that I can quickly answer the question "Why can't this user access X?" and reduce the time spent on resolving support tickets.
-
US-32: Audit and Verify User Permissions
As an IT Security Officer, I want to be able to inspect the precise access rights of any individual user, including their group memberships and inherited roles, so that I can easily audit their access level and ensure it complies with our internal security policies.
-
US-33: Validate Access Control Configuration
As a System Administrator, I want to see the real-time result of a user's group assignments, so that I can confirm that the combination of groups and roles I've configured has resulted in the intended set of effective permissions.
-
US-34: Enforce Access Control for Viewing Permissions
As an IT Security Officer, I want the ability to view a user's effective permissions to be strictly controlled by the
user:view:permissionspermission, so that only highly trusted administrators can inspect this sensitive security information.
3. Preconditions¶
- The user is a System Administrator with an active session (UC-01).
- The administrator's effective permissions include
user:view:permissions(UC-04). - The administrator is on the "User Management" listing page or a specific user's edit page.
4. Postconditions¶
- On Success: The administrator is shown a read-only view containing the target user's details and a comprehensive, real-time breakdown of their permissions.
- On Failure: Access is denied, and the administrator is shown an "Access Denied" page.
5. Main Success Scenario (Happy Path)¶
| Step | User Action | System Response |
|---|---|---|
| 1 | On the User Listing page, finds a user (e.g., "Bob") and clicks the "View Permissions" button/link. | The system verifies the admin has the user:view:permissions permission. |
| 2 | The system calculates Bob's permissions in real-time, based on the logic defined in the Access Control Model Foundation BRD. | |
| 3 | The system displays the "Effective Permissions View" page or modal. | |
| 4 | The view prominently displays the user's Full Name and Email Address ("Bob / bob@example.com"). | |
| 5 | The view is logically separated into three read-only sections:\<br>1. Group Memberships: A list of all groups the user belongs to.\<br>2. Inherited Roles: A unique list of all roles inherited from those groups.\<br>3. Effective Permissions: The final, de-duplicated list of all permission strings. | |
| 6 | All lists within the view (Groups, Roles, Permissions) are sorted alphabetically for readability. |
6. Alternative & Exception Flows¶
-
Flow A: Troubleshooting a Specific Permission Issue
- 1a. An admin, David, investigates why user Bob cannot see a specific report. David opens Bob's "Effective Permissions View".
- 1b. David scans the alphabetized "Effective Permissions" list. He sees
report:view:salesbut does not see the requiredreport:view:sales_q3_projectionspermission. - Outcome: David immediately identifies that the problem is not with Bob's account but with the configuration of his inherited "Report Viewer" role.
-
Flow B: Verifying Permissions for a User in Multiple Groups
- 1a. David has just added a manager, Carol, to two groups: "Marketing Department" and "Content Approvers". Before closing the ticket, he opens her "Effective Permissions View".
- 1b. The "Group Memberships" list correctly shows both groups.
- 1c. The "Effective Permissions" list shows a combined set from both the "Manager" and "Publisher" roles, including both
campaign:approveandarticle:publish. - Outcome: David confirms the configuration is correct.
-
Exception Flow C: Unauthorized Access Attempt
- 1a. A team lead with permission to view the user list (
user:view:list) but notuser:view:permissionsis looking at their team. - System Response: The "View Effective Permissions" button or link is not visible on any user row.
- 1b. If the team lead were to obtain and try to use the direct URL for the permissions view.
- System Response: The system would validate their permissions, find
user:view:permissionsis missing, and redirect them to the "Access Denied" page.
- 1a. A team lead with permission to view the user list (