-
-
Notifications
You must be signed in to change notification settings - Fork 42
Add ADR for Authentication And Roles Feature #1787
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
nscuro
merged 13 commits into
DependencyTrack:main
from
jmayer-lm:jm-auth-and-roles-adr
Jul 14, 2025
Merged
Changes from 12 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
82d1174
docs: Intial creation of Auth and Roles feature
jmayer-lm e515e61
fix: Added Mermaid Diagram
jmayer-lm bb5b4dd
Remove "SYSTEM" from diagram
jmayer-lm c0b04fe
Added ADR to mkdocs.yml
jmayer-lm 2a100f5
Updated Diagram
jmayer-lm 0261444
Updated Diagram_v2
jmayer-lm cd50004
Update docs/architecture/decisions/009-auth-and-roles.md
jmayer-lm 5338cd7
fix: address comments
jmayer-lm f7d3ba7
Addressing Elaboration comment on Decision section
jmayer-lm 2ccb0ab
Merge branch 'main' into jm-auth-and-roles-adr
jmayer-lm 0681378
fix: resolve merge conflict in mkdocs.yml navigation structure
jmayer-lm 3152ca8
fix: remove whitespaces
jmayer-lm 3494909
Merge branch 'main' into jm-auth-and-roles-adr
jmayer-lm File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| | Status | Date | Author(s) | | ||
| | :------- | :--------- | :----------------------------------------- | | ||
| | Proposed | 2025-05-14 | [@jmayer-lm](https://github.com/jmayer-lm) | | ||
|
|
||
| ## Context | ||
|
|
||
| The Dependency Track system currently faces challenges with its permission structure, lacking clear role definitions and appropriate access controls. To address these issues, a comprehensive overhaul of the permission system is proposed. This initiative aims to refine and fix the existing permissions, introduce roles, and enhance the overall access management within Dependency Track. | ||
|
|
||
| ## Decision | ||
|
|
||
| We decide to implement a comprehensive overhaul of the Dependency Track permission system, incorporating the following key elements: | ||
|
|
||
| - Introducing "roles" means assigning groups of permissions to specific types of users (e.g., Admin, Auditor, etc). This allows for more granular control over what actions different types of users can perform within the system. | ||
| - Implement Query Manager changes to enforce permissions at the project level. This will ensure that users can only view and modify projects they have access to. | ||
| - Split the current permission set into global and team/project-based permission sets, adding any potentially missing ones to ensure comprehensive coverage of access scenarios. Global permissions are applied universally across the system and are not specific to any project or team. Team/Project-based permissions are specific to individual teams or projects, allowing for more customized access control within those contexts. | ||
| - Add custom roles, the abilitiy to create tailored sets of permssions specifc to the type of user, to Dependency Track with a field to link to external services, enhancing integration capabilities and allowing for more seamless interactions with other tools and platforms. | ||
| - Separate Team administration from system administration, clarifying roles and responsibilities to prevent confusion and minimize the risk of unintended system-wide changes. | ||
|
|
||
| ## Data Model | ||
|
|
||
| ```mermaid | ||
|
|
||
| erDiagram | ||
| %% Table Definitions | ||
| ROLE { | ||
| bigint ID PK | ||
| text NAME | ||
| uuid UUID | ||
| } | ||
|
|
||
| USER { | ||
| bigint ID PK | ||
| } | ||
|
|
||
| PERMISSION { | ||
| bigint ID PK | ||
| text DESCRIPTION | ||
| text NAME | ||
| } | ||
|
|
||
| ROLES_PERMISSIONS { | ||
| bigint ROLE_ID FK "References ROLE(ID)" | ||
| bigint PERMISSION_ID FK "References PERMISSION(ID)" | ||
| } | ||
|
|
||
| USERS_ROLES { | ||
| bigint USER_ID FK "References USER(ID)" | ||
| bigint ROLE_ID FK "References ROLE(ID)" | ||
| } | ||
|
|
||
| %% Relationships for USERS_ROLES: This table associates a USER and a ROLE. | ||
| USER ||--o{ USERS_ROLES : "assigned" | ||
| ROLE ||--o{ USERS_ROLES : "applied to" | ||
|
|
||
| %% Relationships between ROLE and PERMISSION via ROLES_PERMISSIONS | ||
| ROLE ||--o{ ROLES_PERMISSIONS : "has" | ||
| PERMISSION ||--o{ ROLES_PERMISSIONS : "assigned via" | ||
| ``` | ||
|
|
||
| ## Consequences | ||
|
|
||
| The implementation of the new permission system and roles in Dependency Track is expected to have the following consequences: | ||
|
|
||
| - Improved Security: The introduction of more granular permission controls and the separation of team administration from system administration will reduce the risk of unauthorized access to sensitive features and data, enhancing the overall security posture of the platform. | ||
| - Enhanced Usability: By providing more tailored and flexible access controls, users will have a more streamlined experience, with access to the features and resources they need to perform their tasks, without being overwhelmed by unnecessary permissions or complexity. | ||
| - Reduced Administrative Burden: The clarification of roles and responsibilities, particularly the distinction between team and system administration, will simplify the management of the platform, reducing the administrative workload and making it easier to maintain and evolve the system over time. | ||
| - Better Scalability: The introduction of custom roles and the ability to link to external services will make it easier for Dependency Track to integrate with other tools and platforms, improving its scalability and adaptability to different use cases and environments. | ||
| - Increased Complexity for Small Teams: For very small teams or individual users, the introduction of more granular permission controls might add complexity, potentially making it more challenging to manage permissions and access. Guidance and documentation will be crucial in mitigating this impact. | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.