mia-platform · marcofilippi · Nov 21, 2024 · Nov 19, 2024 · Nov 19, 2024 · Nov 20, 2024
diff --git a/docs/development_suite/api-console/api-design/limit-user-actions.md b/docs/development_suite/api-console/api-design/limit-user-actions.md
@@ -0,0 +1,255 @@
+---
+id: limit-user-actions
+title: Limit User Actions
+sidebar_label: Limit User Actions
+---
+
+# Design changes Fine-Grained Access Control
+
+:::info
+This feature is currently available exclusively as a **Closed Preview** and is not yet generally available. For more information and to request its activation for your Company, please contact your Mia-Platform referent.
+:::
+
+This feature introduces a mechanism for managing user interactions within the application by restricting specific actions based on user roles and specified rules in the Design section.
+
+If a user attempts to save a configuration after performing some changes that are forbidden by the configured rules, the saving is blocked and an error is returned.
+
+*Rules* and *user roles* can be configured at both the Project and the Company levels.
+The following logic is applied:
+
+- **Rules**: Project and Company rules are combined together without conflict, as only disallow rules are used.  
+- **User Roles**: If a user has roles assigned at the Project level, only those roles used to find the applicable rules. If no Project-level roles are assigned, the roles defined at the Company level are used instead.
+
+## Configuration definition
+
+To enable this feature the `Project` or `Company` `configurationManagement.saveChangesRules` field of the configuration must be set with a list of objects with the following structure:
+
+| Field               | Type        | Description                                   | Optional |
+| ------------------- | ----------- | --------------------------------------------- | -------- |
+| `disallowedRuleSet` | `RuleSet[]` | list of rules that prohibit a specific action | ❌       |
+| `roleIds`           | `String[]`  | List of user roles to which the rules apply   | ❌       |
+
+The `RuleSet` object has these fields:
+
+| Field               | Type               | Description                                                     | Optional |
+| ------------------- | ------------------ | --------------------------------------------------------------- | -------- |
+| `jsonPath`          | `String`           | JSONPath of the resource on which the action must be prevented. | ✅       |
+| `processingOptions` | `ProcessingOption` | Additional options of the rule                                  | ✅       |
+| `ruleId`            | `String`           | Reference a to a rule from a predefined set                     | ✅       |
+
+___
+A `disallowedRuleSet` can be configured in 3 ways:
+
+- [Via `jsonPath`](#via-jsonpath)
+- [Via `jsonPath` and `processingOptions`](#via-jsonpath-and-processingoptions)
+- [Via `ruleId`](#via-ruleid)
+
+### Via `jsonPath`
+
+The `jsonPath` field is used to extract a target resource applying a JSONPath expression on the JSON structure of the configuration. On the extracted resource are not permitted any updates.
+
+### Via `jsonPath` and `processingOptions`
+
+- The `jsonPath` is used to extract the target resource.
+- The `processingOptions` define the `action` (`create`, `delete`) to prevent on the resource. If the resource captured by the jsonPath are of array type, the field `primaryKey` must be specified.
+
+The `ProcessingOption` object has the following structure:
+
+| Field        | Type       | Description                                                                                          | Optional |
+| ------------ | ---------- | ---------------------------------------------------------------------------------------------------- | -------- |
+| `action`     | `string[]` | Action to be prevented on the resource defined via the jsonPath. Possible values: `create`, `delete` | ❌       |
+| `primaryKey` | `String`   | Primary key of the resource captured by the jsonPath. Mandatory if resource is of array type         | ✅       |
+
+### Via `ruleId`
+
+The `ruleId` references a rule from a predefined set of rules, that define a specific behavior.
+
+**The available `ruleIds` are**:
+
+| `ruleId`                  | Description                                                                                         |
+| ------------------------- | --------------------------------------------------------------------------------------------------- |
+| `endpoints.security.edit` | block edit of the fields [`public`, `acl`, `secreted`] of `endpoints` and `routes` inside endpoints |
+|                           |                                                                                                     |
+
+## Configuring rules via API
+
+### Updating rules on a Project
+
+The API for updating the rules on a Project is defined as follows
+
+:::info
+**NOTE**  
+This API is meant for internal use and will be subject to breaking changes.
+:::
+
+#### Request
+
+- verb: `PATCH`
+- path: `/api/backend/projects/:projectId/rules`
+
+##### Security
+
+| Security                | Check                           |
+|-------------------------|---------------------------------|
+| Authentication required | ✅                              |
+| RBAC permissions        | console.company.details.update  |
+
+##### Body
+
+The **body** of the request has the structure described in [Configuration definition](#configuration-definition)
+
+### Updating rules on a Company
+
+The API for updating the rules on a Company is defined as follows.
+
+:::info
+**NOTE**  
+This API is meant for internal use and will be subject to breaking changes.
+:::info
+
+#### Request
+
+- verb: `PATCH`
+- path: `/api/backend/tenants/:tenantId/rules`
+
+##### Security
+
+| Security                | Check                           |
+|-------------------------|---------------------------------|
+| Authentication required | ✅                              |
+| RBAC permissions        | console.company.details.update  |
+
+##### Body
+
+The **body** of the request the structure described in [Configuration definition](#configuration-definition)
+
+Below are some **examples of request bodies** for the Update Rules API. The request body format is identical for both the Update Project and Update Company APIs.
+
+- prevent edit of the `dockerImage` of all services to the role `maintainer`
+
+```json
+  {
+      "configurationManagement": {
+          "saveChangesRules": [
+              {
+                  "disallowedRuleSet": [
+                      {
+                          "jsonPath": "$.services.*.dockerImage"
+                      },
+                  ],
+                  "roleIds": [
+                      "maintainer"
+                  ]
+              }
+          ]
+      }
+  }
+```
+
+- prevent creation of the resource `secrets` to the role `maintainer`
+
+```json
+{
+  "configurationManagement": {
+    "saveChangesRules": [
+      {
+        "disallowedRuleSet": [
+          {
+            "jsonPath": "$.collections",
+            "processingOptions": {
+              "action": "create"
+            }
+          }
+        ],
+        "roleIds": ["maintainer"]
+      }
+    ]
+  }
+}
+```
+
+- prevent the creation of a services of a specific type (`custom-resource`) to the role `maintainer`
+
+```json
+{
+  "configurationManagement": {
+    "saveChangesRules": [
+      {
+        "disallowedRuleSet": [
+          {
+            "jsonPath": "$.services.[?(@.type==\"cursom-resource\")]",
+            "processingOptions": { "action": "create" }
+          }
+        ],
+        "roleIds": ["maintainer"]
+      }
+    ]
+  }
+}
+```
+
+- configure the predefined rule with `ruleId` "endpoints.security.edit" to the role `maintainer`
+
+```json
+{
+  "configurationManagement": {
+    "saveChangesRules": [
+      {
+        "disallowedRuleSet": [
+          {
+            "ruleId": "endpoints.security.edit"
+          }
+        ],
+        "roleIds": ["maintainer"]
+      }
+    ]
+  }
+}
+```
+
+## Fetching and configuring rules via `miactl`
+
+### list
+
+List available rules for the Company or for a specific Project.
+
+Usage:
+
+```sh
+miactl company rules list [flags]
+```
+
+Available flags for the command:
+
+- `--company-id`, the id of the Company
+- `--project-id`, the id of the Project (if provided the command will print avilable rules for the project,
+  together with the rules inherited from the Company)
+
+### update
+
+Update rules for a Company or for a specific Project
+
+Usage:
+
+```sh
+miactl company rules update [flags]
+```
+
+Available flags for the command:
+
+- `--company-id`, the id of the Company
+- `--project-id`, the id of the Project (if provided the command will update the rules for the specified Project only)
+- `-f`, path to the file where the rules are saved
+
+File example:
+
+```json
+[
+ {
+  "roleIds": ["developer"],
+  "disallowedRuleSet": [
+   {"ruleId": "endpoint.security.edit"}
+  ]
+ }
+]
+```