As an Open Data Hub Data Editor I want to edit only the contents of my organization (in both domains content (tourism) and timeseries (mobility)), to avoid to change contents I'm not responsible for.

[sseppi]

As for example, the communication team of NOI shouldn't have write permissions for all events provided by the EventShort endpoint. The idea is to allow them to change only the NOI events.

One idea could be to start and grant the permissions (e.g. read, write, etc.) using the DataProvider field, but probably we would need to do with more granularity by granting the permissions using a combination of DataProvider and Dataset. this could allow the following:

• user 1 has write access to the Events of NOI and not to the Articles;
• user 2 hasn't access to the Events of NOI and has write access to the Articles.

If you need more detail about it, feel free to ask!

[clezag]

Just throwing in some points to consider when we discuss this:

• This issue is strongly linked to As an Open Data Hub maintainer i want to control provider's permission to push data (Rest endpoints, MQTT topics, ...) infrastructure-v2#32 where we will have the same problem as well, but on even more channels like AMQP, MQTT or websocket. Any solution we find should be able to extend to other protocols/message channels and data models as well

• Would be nice to have this manage API read permissions as well, seeing as the Ninja API's access control mechanism is rather simplistic and will have to be improved long term

• Keycloak already has permission management, we should check out if it could cover our use case out of the box

[RudiThoeni]

We want to use the Keycloak Authorization Services to handle this. there is a Standard called UMA.
The workflow then would be
-The submitted Token is passed to Keycloak and we get all permissions of this User
-The api uses this permissions for read/write

[RudiThoeni]

Opened PR here #407