REQ-402 Role-Based Access Control (RBAC) for Read/Write Operations

[UweSchwaeke]

🆔 Requirement Details

• ID: REQ-402
• Priority: Must Have
• Google Doc Link: link

📝 Description

Within a specific organization (tenant), the platform must support granular Role-Based Access Control (RBAC). Administrators must be able to provision users with specific permission sets, including at least:

1. Read-Only Access: Users who can only view, query, and download/pull content (using native tools like curl, dnf, yum, podman, or docker) from their assigned organization.
2. Write/Publish Access: Users who are explicitly authorized to upload, push, or publish new content (RPMs and OCI images) to their assigned organization.

🧪 Evaluation / Acceptance Criteria

• Create a Read-Only-User and a Publisher-User within a single test organization (Org-A).
• Test Read (RPM): Authenticate as Read-Only-User and successfully install an RPM via dnf/yum or download it via curl.
• Test Read (OCI): Authenticate as Read-Only-User and successfully pull a container image via podman pull.
• Test Write Denial: Authenticate as Read-Only-User and verify that attempting to push an image (podman push) or upload an RPM is explicitly rejected (e.g., HTTP 403 Forbidden).
• Test Write Success: Authenticate as Publisher-User and verify they can successfully push a new OCI image and upload a new RPM to Org-A.