API Permission Model for Co-Admins of a Control Center

API Discussion
1

Hi everyone,

I’d like to ask a question about the current permission model in relation to the API and multi-admin dispatch centers.

Let’s say User A creates a dispatch center and adds User B as a co-admin. Both users can then generate their own OAuth Client Credentials in the dashboard.

Now I have a question about how permissions are handled at the API level:

  • Can User B use their own OAuth credentials to access User A’s dispatch center if they are registered there as an admin or co-admin?

  • Or are the generated credentials technically always exclusively linked to the person who originally created them or their dispatch center?

The background to this question is that with larger community projects or shared dispatch centers, you probably often have multiple technical administrators who want to work with the API independently of each other.

It would also be great in this context if there were appropriate API endpoints available so that you could add users directly via API as co-admins to a dispatch center.

Is there already a clean solution for this, or is something in this direction planned at the API level in the future?

Best regards,
Pat

2 Answers

2
2

Yes, User B could do this. Authentication via OAuth is consequently the same for authorization as, for example, login via the browser. OAuth here only enables authentication without the user having to disclose their actual passwords or SSO for the same permissions.

I cannot guarantee this yet, since RBAC is to be expanded in administration.

3

Thanks for the feedback :+1:

That sounds like a pretty well thought-out solution. Especially with larger community projects or external tools, it’s really important that multiple technical administrators can work independently with their own OAuth credentials without getting in each other’s way.

I also find the RBAC topic interesting. Once more granular permission assignments or differentiated roles come into play later, that will probably get really interesting at the API level, especially when it comes to implementation in custom tools.

I’m definitely curious to see how this all develops :slightly_smiling_face: