Overview

Implement ability to configure security for user fields to prevent global admin, project admin, practice area lead, and team member from having read, update, or create permissions to fields that are sensitive. These roles correspond to adminGlobal, adminProject, practiceLead,and memberTeam permission types.

Functional Security Requirements (Excluding PracticeAreaAdmin)

1. Role-Based Access Control (Excluding PracticeAreaAdmin)

• AdminGlobal:
  • Full access across all Projects and Practice Areas.
  • Read any field if FieldPermissions specifies any permission type for reading.
  • Patch/Post any field if FieldPermissions specifies any permission type for patching or posting.
• AdminProject:
  • Access restricted to assigned Project.
  • Read fields within the same Project if FieldPermissions specifies AdminProject or a less privileged type for reading.
  • Patch/Post fields within the same Project if FieldPermissions specifies AdminProject or a less privileged type.
• MemberProject:
  • Read-only access within assigned Project.
  • Read fields within the same Project if FieldPermissions specifies MemberProject or no specific permission type.
  • No patch/post access.

2. Endpoint Access Control

• POST /users:
  • Allowed for AdminGlobal and AdminProject users within their Project.
  • Fields allowed only if specified for posting by FieldPermissions.
• PATCH /users/{id}:
  • Allowed for AdminGlobal and AdminProject users within their Project.
  • Fields allowed only if specified for patching by FieldPermissions.
• GET /users/{id}:
  • Allowed for AdminGlobal, AdminProject, and MemberProject users within the same Project.
  • Fields allowed only if specified for reading by FieldPermissions.