Skip to content

Establish RBAC concept within Workspace UI #80

New issue
New issue
Open
Open
Establish RBAC concept within Workspace UI#80
Assignees
achtsnits
@achtsnits

Description

@achtsnits
achtsnits
opened on Oct 13, 2025

EOEPCA v2 introduced a model where users are not directly linked to workspaces, but instead, a team ↔ workspace relationship is established.

Team membership information is managed in Keycloak as Membership records.
This allows a user, once authenticated, to retrieve all of their memberships — and consequently, all workspaces they have access to (potentially more than one).

When a user gains access to a workspace, they can perform various actions such as adding new buckets, requesting additional bucket access, granting or denying access to owned buckets, inviting new team members, or launching the Datalab to develop code and execute scripts.

Stakeholders have requested more fine-grained permission control.
For example, feedback from Terradue (APeX) distinguishes two user types:

  • Operator User
    An APeX user responsible for setting up work environments for ESA project participants.
    The EOEPCA Workspace UI supports such operators in managing resources through Kubernetes concepts — including onboarding teams and managing access permissions.

  • EO Application Developer User
    An APeX user developing algorithms or EO services within a hosted ESA project.
    The EOEPCA Datalab UI supports these users in managing files and code through a familiar “Finder”-like interface.

In practice, we need to distinguish between:

  • a Team Operator, who manages buckets, access grants, and memberships for a specific team (distinct from a system operator), and
  • a Team User (EO Application Developer), who primarily interacts with the Datalab UI.

Goals

  • Define workspace-level roles to distinguish between Team Operators and Team Users.
  • Enforce these roles within the Workspace API.
  • Update the Workspace UI to visually reflect these roles — for example, by hiding or disabling tabs for which the user lacks permission.

Future Evolution (to be tracked separately, not here)

  • Define which secrets (e.g., storage credentials, kubeconfig) are injected per user within the Datalab environment.
  • Support user-specific credentials for members of the same workspace team.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions