Roles and Rights

There are 3 Levels of Roles.

Role levels differ in scope. Course Roles only apply to a single course etc.

Implementation

There are two main mechanisms handling Roles and Rights.

Firestore Rules
- Determined on every read and write to Firestore.
- This documents refers to this rules by syntax like: /users/${userId}
Job's isAllowed() Method
- Determined by code running on a server or a Cloud Function.

There are also two services available on server and client providing Infos about Roles and Rights respectively:

RoleService
- Note: extends IsofireRoleService for GlobalRoles and MandanRoles
- Often used by Job's isAllowed() method to get roles.
RightsService
- Gets roles from Role Service
- Mainly used on client to determine which UI is displayed.

Definition:
- Everybody registered
Rights:
- There are rules that allow reads and writes based on the userId
- can read their own global User /users/{userId}
- can read and write own jobs /jobs/{jobId}

Definition:
- Global Users /users/${userId} with a property globalAdmin: true
Rights
- can read everything /{document=**}
- can edit Mandants /mandants/${mandantId}
- can edit Dynamic Redirects /dynamicRedirects/{dynamicRedirectId}
- can edit Global Configs /configs/{configId}
Usage
- There is no UI to grant/revoke this role. It's recommended to control grant/revoke this role form firebase console by setting the property manually.
- Global Admins Rights are not needed very often.
- Mainly used to create new Mandants
- Their ability to read everything allows for some unique Admin-Views like Health

Definition:
- Their userId is explicitly hardcoded to Firestore Rules
Rights
- Webmaster can read and write everything /{document=**}
Usage
- Webmaster Role is a unique role mainly used for Development and System Administration.
- It's not recommended to login to crowde.net as webmaster
- It's mainly used in Firestore Query Browser to read and write to firestore manually.

Definition:
- Global Users /users/${userId} have a property mandants determining their mandant roles. The Keys in mandants are the mandantId and the numerical values determine roleNumber.
  - Mandant-User: roleNumber >= 1
  - Teacher: roleNumber >= 5
  - Mandant-Admin: roleNumber >= 9
- Example: The following user is User in 'kit', Teacher in 'cau' and Admin in 'uzk':
```
{
  "id": "MHY82S9nCmPuGvkgt172Nuoow4s1",
  "mandants": {
    "kit": 1,
    "cau": 5,
    "uzk": 9
  }
}
```
Usage:
- To Join a mandant as 'Mandant-User', the user has to perform a AddUserToMandant-Job. Currently, this will always be allowed.
- Mandant-Admins can change a user's mandant role to any of the three roles in the client's User Overview.

Rights:
- Nearly all reads and writes in /mandants/{mandantId}/{document=**} require at least this role

Rights:
- can read all Mandant-Users /mandants/{mandantId}/users/{userId}
- can read all Connected Accounts /mandants/{mandantId}/connectedAccounts/{id}
- can create and edit all Courses and CourseCodes /mandants/{mandantId}/courses/{courseId} (...)
- can create and edit all Guidelines, QuestionTagDefinitions and QuestionTagGroupDefinitions /mandants/{mandantId}/guidelines/{guidelineId} (...)
- can create and edit all Question Pools, Question Pool Questions and Exam Factories /mandants/{mandantId}/questionPools/{id} (...)
Usage:
- Teachers can edit most of the non-course specific entities.
- All Teachers operate on the same Mandant and should self-organize any practical ownership of Guidelines or Question Pools. Therefore, teachers need to trust each other. If teachers do not trust each other, create multiple mandants.