Feature/workspace user management

[fortunkam]

Resolves #4169 "Enable Workspace Owners to add multiple users and assign WorkspaceResearcher role"

This pull request introduces a new user management feature to the api_app project, along with several related changes. The key changes include the addition of new routes for managing workspace users, updates to the configuration to enable user management, and the creation of new schemas and models to support user roles and assignments.

The User management feature will only be visible if the user is a TreAdmin, the USER_MANAGEMENT_ENABLED flag is enabled and the Workspace has Entra ID/AAD groups enabled.

User Management Feature:

• api_app/api/routes/api.py: Added workspace_users to the list of routes and included conditional routing based on the USER_MANAGEMENT_ENABLED configuration. [1] [2]
• api_app/api/routes/workspace_users.py: Introduced new routes for getting workspace users, assignable users, workspace roles, assigning users to roles, and removing user assignments.

Configuration Updates:

• api_app/core/config.py: Added a new configuration variable USER_MANAGEMENT_ENABLED to toggle user management features.

Schema and Model Additions:

• api_app/models/domain/workspace_users.py: Added new models for AssignableUser, Role, AssignedUser, and AssignmentType.
• api_app/models/schemas/roles.py: Created a new schema RolesInResponse to represent the roles in a workspace.
• api_app/models/schemas/users.py: Updated UsersInResponse to use AssignedUser and added new schemas AssignableUsersInResponse and WorkspaceUserOperationResponse. [1] [2]
• api_app/models/schemas/workspace_users.py: Added a new schema UserRoleAssignmentRequest for assigning roles to users.

Other Changes:

• api_app/resources/strings.py: Added new string constants for user management API endpoints and messages. [1] [2]
• api_app/services/aad_authentication.py: Updated methods to support fetching user details, roles, and assignments from Azure AD, including handling new attributes like userPrincipalName. [1] [2] [3] [4] [5]

Version Update:

• api_app/_version.py: Updated the version from 0.21.1 to 0.22.0.

[github-actions]

Unit Test Results

617 tests   617 ✅  7s ⏱️
  1 suites    0 💤
  1 files      0 ❌

Results for commit 2ce6937.

♻️ This comment has been updated with latest results.

[marrobi]

Great to see this, couple of comments, will likely give it a go and review further next week. Thanks!

[marrobi]

Is this not just going to add the user to a random group that has been assigned to the app role?

[marrobi]

the terraform uses:

resource "azuread_group" "workspace_owners" {
  count            = var.create_aad_groups ? 1 : 0
  display_name     = "${var.workspace_resource_name_suffix} Workspace Owners"
  owners           = [var.workspace_owner_object_id]
  security_enabled = true
}

We should maybe output and store the group IDs as workspace properties? If that property exists we add to the group, if it doesn't we add direct to the app role?

[fortunkam]

Interesting, I think when we created this originally we made an assumption that there would only be one group assigned to the app role (for each role type) since that is what the "Add groups" option did. We can make that more explicit.

[marrobi]

Yes, we need to, who knows what group might get added to the app role, and then unknowingly other people get added to it and end up with access to something they shouldn't.

[fortunkam]

Do we need to store this in the Cosmos config somewhere or can we just infer the names from convention?

[marrobi]

I think we need to add the group IDs in outputs.tf for the workspace, and porter.yaml, then the IDs will be stored in cosmos. I think check for existence of that value - will need to be conditional on groups being enabled - and if is there use the ID of the group.

That make sense?

[fortunkam]

Looks like there are already some properties being exported I might be able to use create_aad_groups and can then lookup based on the name and the app_role_id_* properties.

[fortunkam]

Have added an implementation of this, let me know what you think.

[marrobi]

Bit confused, might need to talk through it. How does roles_graph_data["value"] contain groups? looks to be getting existing user role assignments?

[fortunkam]

roles_graph_data contains a list of appRoles assigned to the API, it is a mixture of users and groups

[fortunkam]

This is the call. https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignedto?view=graph-rest-1.0&tabs=http

[marrobi]

Ah, got it, then look through those groups by name?

If it works, ok, think using the workspace outputs would be more straightforward.

[marrobi]

Is it possible to have a picker here of some sort, I tried with an email in the tenant and got a 500 back. Didn't dig any deeper.

[fortunkam]

Originally I had a picker here but it didn't look great with large numbers in the tenant. Ideally what it needs is some sort of search functionality. For external users to a tenant it needs to be added as the user principal name rather than the email address so it is a bit clunky. (e.g. myemail_microsoft.com#EXT#@MyTenant.onmicrosoft.com).

I can readd the name picker as a short term measure and investigate the search functionality as a longer term solution (possibly a new issue)?

[marrobi]

Not sure what the picker looks like... got a snip?

Yes, agree, search would work better.

[fortunkam]

This was the initial attempt, for each user we show the Display Name and the User Principal Name (email address for non-guest users)

[fortunkam]

It works fine while the GAL is small.

[marrobi]

Nice, does it filter as you type or not?

I think add it, and we can maybe modify as we go on. Is it an existing control/component - https://developer.microsoft.com/en-us/fluentui#/controls/web/peoplepicker ?

[fortunkam]

No it is a combobox with an API, will add it now and take a look at that link to see if I can get it in easily?

[fortunkam]

This is now replaced with the people picker

[jonnyry]

NOTE: To use this feature the API Service principal needs to have 2 more application MS Graph permissions adding. Groups.ReadWrite.All and AppRoleAssignments.ReadWriteAll

Is there any way to use a narrower permission than AppRoleAssignments.ReadWriteAll? IIUC this is a broad permission with the ability to grant any other permission (e.g. global admin).

[marrobi]

NOTE: To use this feature the API Service principal needs to have 2 more application MS Graph permissions adding. Groups.ReadWrite.All and AppRoleAssignments.ReadWriteAll

Is there any way to use a narrower permission than AppRoleAssignments.ReadWriteAll? IIUC this is a broad permission with the ability to grant any other permission (e.g. global admin).

The Resource Processor should already have access to these if it created them, maybe it should give the API access to the specific groups and app roles?

[fortunkam]

NOTE: To use this feature the API Service principal needs to have 2 more application MS Graph permissions adding. Groups.ReadWrite.All and AppRoleAssignments.ReadWriteAll

Is there any way to use a narrower permission than AppRoleAssignments.ReadWriteAll? IIUC this is a broad permission with the ability to grant any other permission (e.g. global admin).

The Resource Processor should already have access to these if it created them, maybe it should give the API access to the specific groups and app roles?

In theory it should be owner on the groups so should be able to access the data but this was the only way we could get it to work. I think the ms graph layer was getting in the way but it needs more research.

[Copilot]

Copilot reviewed 28 out of 28 changed files in this pull request and generated 2 comments.

[fortunkam]

Following discussion the User Management feature will now only be available on workspaces with AAD groups enabled.
The additional Graph API permissions are now not required.