From 5cc1e1aab7a02a088f194322cec58c0f0abfe804 Mon Sep 17 00:00:00 2001
From: florian <f.spreckelsen@inidscale.com>
Date: Tue, 9 Aug 2022 14:31:32 +0200
Subject: [PATCH] DOC: Add role-permissions table

---
 src/doc/permissions.rst           |  2 +
 src/doc/role-permission-table.rst | 89 +++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+)
 create mode 100644 src/doc/role-permission-table.rst

diff --git a/src/doc/permissions.rst b/src/doc/permissions.rst
index 86932e9b..ea45575d 100644
--- a/src/doc/permissions.rst
+++ b/src/doc/permissions.rst
@@ -44,6 +44,8 @@ below: role permissions and entity permissions.
 Role permissions
 ***********************
 
+See the :ref:`Role Permission Table` for a full list of role permissions.
+
 .. _entity-permissions:
 
 Entity permissions
diff --git a/src/doc/role-permission-table.rst b/src/doc/role-permission-table.rst
new file mode 100644
index 00000000..2860407f
--- /dev/null
+++ b/src/doc/role-permission-table.rst
@@ -0,0 +1,89 @@
+.. _Role Permission Table:
+
+Role Permissions
+================
+
+Roles in CaosDB can have the following permissions
+
+.. list-table:: Role permissions
+   :header-rows: 1
+   :widths: 33 67
+
+   * - Permission
+     - Description
+   * - ``ACCESS_SERVER_PROPERTIES``
+     - Permission to read the server properties.
+   * - ``ACM:*``
+     - Permissions to administrate the access controll management system. That
+       includes managing users, roles, and assigning permissions to roles and
+       roles to users.
+   * - ``ACM:ROLE:*``
+     - Permissions to manage roles, i.e. create, retrieve, update and delete
+       roles and assign them to users.
+   * - ``ACM:ROLE:ASSIGN:?ROLE?``
+     - Permission to assign a role (to a user).
+   * - ``ACM:ROLE:DELETE:?ROLE?``
+     - Permission to delete a role.
+   * - ``ACM:ROLE:INSERT``
+     - Permission to create a new role.
+   * - ``ACM:ROLE:RETRIEVE:DESCRIPTION:?ROLE?``
+     - Permission to retrieve the description of a role.
+   * - ``ACM:ROLE:RETRIEVE:PERMISSIONS:?ROLE?``
+     - Permission to read the permissions of a role.
+   * - ``ACM:ROLE:UPDATE:DESCRIPTION:?ROLE?``
+     - Permission to update the description of a role.
+   * - ``ACM:ROLE:UPDATE:PERMISSIONS:?ROLE?``
+     - Permission to set the permissions of a role.
+   * - ``ACM:USER:*``
+     - Permissions to manage users, i.e. create, retrieve, update and delete
+       users.
+   * - ``ACM:USER:DELETE:?REALM?:?USER?``
+     - Permission to delete a user
+   * - ``ACM:USER:INSERT:?REALM?``
+     - Permission to create a user in the given realm
+   * - ``ACM:USER:RETRIEVE:INFO:?REALM?:?USER?``
+     - Permission to retrieve the user info (email, entity, status)
+   * - ``ACM:USER:RETRIEVE:ROLES:?REALM?:?USER?``
+     - Permission to retrieve the roles of a user
+   * - ``ACM:USER:UPDATE:EMAIL:?REALM?:?USER?``
+     - Permission to update the email address of a user.
+   * - ``ACM:USER:UPDATE:ENTITY:?REALM?:?USER?``
+     - Permission to set the entity which is associated with a user.
+   * - ``ACM:USER:UPDATE:ROLES:?REALM?:?USER?``
+     - Permission to change the roles of a user.
+   * - ``ACM:USER:UPDATE:STATUS:?REALM?:?USER?``
+     - Permission to update the status of a user, i.e. marking them as
+       ``ACTIVE`` or ``INACTIVE``.
+   * - ``ACM:USER:UPDATE_PASSWORD:?REALM?:?USER?``
+     - Permission to set the password of a user.
+   * - ``SCRIPTING:EXECUTE:?PATH?``
+     - Permission to execute a server-side script under the given path. Note
+       that, for utilizing the wild cards feature, you have to use ``':'`` as
+       path separator. E.g. ``'SCRIPTING:EXECUTE:my_scripts:*'`` would be the
+       permission to execute all executables below the ``my_scripts`` directory.
+   * - ``SERVERLOGS:RETRIEVE``
+     - Permission to read the server logs. (DEPRECATED)
+   * - ``STATE:*``
+     - Permissions to manage state models and the states of entities.
+   * - ``STATE:ASSIGN:?STATE_MODEL?``
+     - Permission to assign a state model.
+   * - ``STATE:FORCE:FINAL``
+     - Permission to force to leave a state models specified life-cycle even
+       though the currrent state isn't a final state in the that model.
+   * - ``STATE:TRANSITION:?TRANSITION?``
+     - Permission to initiate a transition.
+   * - ``STATE:UNASSIGN:?STATE_MODEL?``
+     - Permission to unassign a state model.
+   * - ``TRANSACTION:*``
+     - Permission to execute any writable transaction. This permission only
+       allows to execute these transactions in general. The necessary entities
+       permissions are not implied.
+   * - ``TRANSACTION:DELETE:?ENTITY_ROLE?``
+     - Permission to delete entities of a given role (e.g. Record, File,
+       RecordType, or Property).
+   * - ``TRANSACTION:INSERT:?ENTITY_ROLE?``
+     - Permission to insert entities of a given role (e.g. Record, File,
+       RecordType, or Property).
+   * - ``TRANSACTION:UPDATE:?ENTITY_ROLE?``
+     - Permission to update entities of a given role (e.g. Record, File,
+       RecordType, or Property).
-- 
GitLab