2
 Followers
23
 Likes

Allow users to create apps only in their teams, either by using an extra permission layer (User Groups) or changes in Service Studio and permission model.

Lifetime
On our radar

Hello,

A lot of OutSystems customers get confused regarding our Teams being Application Teams instead of User teams, and one scenario that they get confused with is that when they have multiple businesses/independent teams working inside the same infrastructure, they can't allow the users to create applications only inside their teams.

The use case is that you have multiple independent teams working in your infrastructure, and you want them to be "somewhat" autonomous, but then in Lifetime you only really have 2 options:

  • Give them permission to change and deploy as default so that they can create applications in your infrastructure, which means that they will have access to any application that they are not restricted to (Applications that are not on a team, which if you have many teams all creating applications, and they are all created without a team at first, will be a problem unless they have a very good internal process). And if you do this you still need to give someone access to assign the applications to your team, and you need to give them "Manage Teams and Application Roles" as default, and from the moment you do that, they can freely unassign/assign any user/application to any team, so in theory they have access to everything (since they can give themselves access to anything by unassigning an app from a team). So there's either no full autonomy or no full independence between the teams.
  • Don't give them permissions to change and deploy as default and direct to some kind of infrastructure manager that responsibility, removing the autonomy from your developer teams since they always need to raise a ticket/ask the infra manager to create an app and assign it to one of the teams that they can actually change.

So as you can see, as far as I know, there's no real workaround for this use case.

In my opinion, one way of fixing this without creating a new permission layer would be a dropdown inside Service Studio when you are creating an application so that you could choose the "Application Teams" that you have Change & Deploy in and then allowing the users to create applications as long as they have Change & Deploy in at least one team and automatically assign the app to that team. The dropdown could include "No Team" if the user has Change & Deploy as default.

The other option would be a new permission layer for user groups, which would mean being able to group your users (one user to only one team at any time), and then giving them permissions to applications assigned to that team (like the opposite of the Application Teams right now) would fix this issue, since then you could have List as default and change and deploy in your User Group, and all applications that you would create could be automatically assigned to your User Group.

I hope the idea is clear enough, sorry for this wall of text!

Thank you in advance!

Created on 26 Feb
Comments (4)

A platform user can be member of multiple lifetime teams.

It would be nice if there is a permission toggle on a platform role that steers if platform user is allowed to:

- create/delete app

- download/update forge component

When user is allowed to create a program it would be nice if it can select which team owns the application (one of the teams the user can work for).


Changed the category to Lifetime


Changed the status to
On our radar


Hi Frederico,

Thanks for sharing your idea.

This problem is under our radar, we will be working to improve the permissions setup.

One think that we would like to explore from your idea is: what is the current impact of that issue? 

Thank you,

João Bento

Hello João Bento,

Could you clarify which is the information that you need?  I think I extensively explained the impact on the idea.

Thank you,

views
388
Followers
2