here is a little RFC for a Policy.yaml backend module.
Your comments and ideas are very welcome!
Currently it is hard to find out what do you can do with the Policy.yaml. You have to know what you can use as a matcher and so on.
What we plan to do is to create a new little backend module to generate a Policy.yaml. This backend module should be a part of a new Flowpack-Package (e.g. Flowpack.Neos.Security)
With the module, it should be possible to build the Policy.yaml with a form.
really cool idea, indeed. There are some things that came to my mind:
Obviously we need a nice way to write that back to the Policy.yaml. However, you never can do this in production, this has to be a development-only tool/module
It would be really cool to select the values based on some nice editors. E.g. select the node type from the available node types in the system
We have to check the logical operators in the matcher expressions. I fear not everything you can model with the example above is really supported by the matcher. But that’s a general issue we have to look into, to find out which combinations make sense and which shouldn’t be possible
Regarding the UI I’m probably not the right person to make that nicer. However, I’m definitely in to give feedback and help with conceptual questions.
It’s fine for a first version to have to copy paste the generated Policy.yaml
Maybe we can check with @dimaip if we can have access to the ember stuff he’s doing for the NodeType “Wizard”
I have the feeling that’s if we found a way to have a really natural speaking interface it will be awesome, let’s see what can be done, I’m not enough in the technical part to be sure if it’s possible or not.
@steffenmatthes Thanks for bringing this up again, but this is not really related to backend modules, is it? IMO it’s better to open a new thread rather than hijacking a 2-year-old one
As to your question: Roles are an application concept. You should be able to assign roles at “runtime” (like via the Neos User Management) but it won’t be possible to change roles at runtime for a couple of reasons (security, caching for example).
What you are probably looking for is a concept we call user groups, so that you could specify s.th. like “User A has role NewsEditor in this part of the tree”.
Hopefully we’ll be able to tackle this with https://github.com/neos/flow-development-collection/issues/593 at some point, but it’s quite a complex topic.
In the meantime you can either solve it with multiple roles or a custom implementation of “user groups”.