You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Following the hierarchical entitlements model defined in #2631, this issue covers two related pieces of work:
Backend (calm-hub): Completing and correcting the user access REST API so it is fully RESTful and ready for UI consumption — including grant revocation, a current-user grants endpoint, and aligning request/response conventions with REST norms.
Frontend (calm-hub-ui): An administrative UI allowing namespace admins and global admins to view, grant, and revoke user entitlements across the namespace hierarchy and at the domain level.
Required APIs:
The following endpoints are required to support the UI. These must be implemented and tested in calm-hub as part of this issue:
Method
Endpoint
Permission required
Purpose
GET
/api/calm/user-access/current
Any authenticated user
Returns all grants for the authenticated user (explicit and wildcard). Used to determine which namespaces/domains the user can administer.
GET
/api/calm/namespaces/{ns}/user-access
Namespace admin or global admin
Lists all grants for a namespace
POST
/api/calm/namespaces/{ns}/user-access
Namespace admin or global admin
Grants access to a user on a namespace
DELETE
/api/calm/namespaces/{ns}/user-access/{id}
Namespace admin or global admin
Revokes a specific namespace grant
GET
/api/calm/domains/{domain}/user-access
Global admin
Lists all grants for a domain
POST
/api/calm/domains/{domain}/user-access
Global admin
Grants domain-level access to a user
DELETE
/api/calm/domains/{domain}/user-access/{id}
Global admin
Revokes a specific domain grant
User Stories:
As a namespace admin
I want to view who currently has access to my namespace
So that I can audit and manage access
As a namespace admin
I want to grant or revoke read/write/admin access for a specific user on my namespace
So that I can control who can interact with my namespace's artifacts
As a global admin
I want to manage domain-level entitlements
So that I can control who has cross-namespace privileges
As any authenticated user
I want to see which namespaces and domains I have access to
So that I understand what I can read, write, or administer
Proposed UI Design Considerations:
GET /user-access/current should be called on load to determine which namespaces/domains the current user can administer — this drives what management panels are shown
The namespace hierarchy (org, org.ecosystem, org.ecosystem.system) should be displayed as a tree, consistent with the model defined in CALMHub - hierarchical entitlements #2631
For each namespace the user can admin, show the current grants list with username, permission level, and a revoke action
A grant form should allow specifying a username and selecting a permission level (read, write, admin)
Wildcard grants (*) should be visually distinguished from named-user grants, as revoking a wildcard affects all users with implicit access through it
Domain entitlements should be presented separately, visible only to global admins
Implementation Checklist:
calm-hub (API)
GET /api/calm/user-access/current implemented
DELETE endpoints implemented for namespace and domain grants
POST body uses { username, permission } only — namespace/domain set server-side from path
Empty grant lists return 200 [] (not 404)
Permission checks enforced on all mutation endpoints
calm-hub-ui (UI)
Design reviewed and approved
GET /user-access/current integrated to drive admin panel visibility
Namespace entitlements view and grant/revoke implemented
Domain entitlements view and grant/revoke implemented (global admin only)
Wildcard grant display handled
Tests written and passing
Documentation updated
Additional Context:
The backend checklist items reflect API work being completed alongside this issue. The UI work depends on those items being in place.
Feature Proposal
Target Project:
calm-hub, calm-hub-ui
Description of Feature:
Following the hierarchical entitlements model defined in #2631, this issue covers two related pieces of work:
Backend (calm-hub): Completing and correcting the user access REST API so it is fully RESTful and ready for UI consumption — including grant revocation, a current-user grants endpoint, and aligning request/response conventions with REST norms.
Frontend (calm-hub-ui): An administrative UI allowing namespace admins and global admins to view, grant, and revoke user entitlements across the namespace hierarchy and at the domain level.
Required APIs:
The following endpoints are required to support the UI. These must be implemented and tested in calm-hub as part of this issue:
GET/api/calm/user-access/currentGET/api/calm/namespaces/{ns}/user-accessPOST/api/calm/namespaces/{ns}/user-accessDELETE/api/calm/namespaces/{ns}/user-access/{id}GET/api/calm/domains/{domain}/user-accessPOST/api/calm/domains/{domain}/user-accessDELETE/api/calm/domains/{domain}/user-access/{id}User Stories:
As a namespace admin
I want to view who currently has access to my namespace
So that I can audit and manage access
As a namespace admin
I want to grant or revoke read/write/admin access for a specific user on my namespace
So that I can control who can interact with my namespace's artifacts
As a global admin
I want to manage domain-level entitlements
So that I can control who has cross-namespace privileges
As any authenticated user
I want to see which namespaces and domains I have access to
So that I understand what I can read, write, or administer
Proposed UI Design Considerations:
GET /user-access/currentshould be called on load to determine which namespaces/domains the current user can administer — this drives what management panels are shownorg,org.ecosystem,org.ecosystem.system) should be displayed as a tree, consistent with the model defined in CALMHub - hierarchical entitlements #2631read,write,admin)*) should be visually distinguished from named-user grants, as revoking a wildcard affects all users with implicit access through itImplementation Checklist:
calm-hub (API)
GET /api/calm/user-access/currentimplementedDELETEendpoints implemented for namespace and domain grants{ username, permission }only — namespace/domain set server-side from path200 [](not404)calm-hub-ui (UI)
GET /user-access/currentintegrated to drive admin panel visibilityAdditional Context:
The backend checklist items reflect API work being completed alongside this issue. The UI work depends on those items being in place.