feat(roles): seed default group bindings to match test personas#462
Merged
Conversation
Until now only the Admin role shipped with a default `assigned_groups` binding (driven by `APP_ADMIN_DEFAULT_GROUPS`). The other seeded roles — Data Governance Officer, Data Steward, Data Producer, Data Consumer, Security Officer — were created with empty `assigned_groups`, which meant the runtime persona override (added in #459 / e8bd863) would correctly impersonate the persona's identity but resolve to *zero* permissions until an operator manually added groups to each role in the Settings UI. This patch bakes the conventional group names into both seed sources so the persona flow works end-to-end on first run: Data Governance Officer <- data-governance-officers Data Steward <- data-stewards Data Producer <- data-producers Data Consumer <- data-consumers Security Officer <- security-officers The group names match `src/backend/src/data/test_personas.yaml` and the labels used in the Test Persona dropdown. Sources touched: - `src/backend/src/data/settings.yaml` (the authoritative seed YAML) - `DEFAULT_ROLES` in `settings_manager.py` (in-code fallback used when the YAML is missing) — including the `generated_roles` codepath that writes the YAML on first run, so a fresh deployment without `settings.yaml` also gets the bindings. Admin is intentionally NOT given a hardcoded default here — its `assigned_groups` continue to come from `APP_ADMIN_DEFAULT_GROUPS` so production deployments retain explicit control over admin assignment. Migration note: existing deployments already have role records persisted to the database and won't be affected by this change. To pick up the new bindings, either edit roles via Settings → Roles and add the groups listed above, or delete the affected role rows so they get re-seeded on next start.
larsgeorge-db
force-pushed
the
feat-seed-default-role-groups
branch
from
121bb10 to
18dfcf7
Compare
This was referenced May 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #459 (runtime test-user impersonation). Until now only the Admin role shipped with a default
assigned_groupsbinding (driven byAPP_ADMIN_DEFAULT_GROUPS). All other seeded roles were created with emptyassigned_groups, so the runtime persona override would correctly impersonate the persona's identity but resolve to zero permissions — making the feature useless out of the box for anything except the Admin persona.This patch bakes the conventional group names into both seed sources so every persona in
src/backend/src/data/test_personas.yamllands in the matching role on first run.Bindings added
assigned_groupsdata-governance-officersdata-stewardsdata-producersdata-consumerssecurity-officersGroup names match the personas in
test_personas.yamland the labels in the Test Persona dropdown.Sources touched
src/backend/src/data/settings.yaml— the authoritative seed YAML.DEFAULT_ROLESinsrc/backend/src/controller/settings_manager.py— the in-code fallback used when the YAML is missing. Also updated thegenerated_rolescodepath that writes the YAML on first run, so a fresh deployment withoutsettings.yamlalso gets the bindings.Why Admin is intentionally NOT touched
Admin's
assigned_groupscontinue to come fromAPP_ADMIN_DEFAULT_GROUPS. Hardcoding it here would risk granting admin to whatever happens to be set on someone's local workspace by name collision. Production deployments keep explicit control via env var.Migration
Existing deployments already have role records persisted to the database and will not be affected by this change (the seed only fires when records are missing). To pick up the new bindings on an existing install:
Test plan
settings.yaml): role records pick up the new groups.settings.yaml): role records pick up the new groups.TEST_USER_TOKENset: pick "Data Producer" from the Test Persona dropdown ->/api/user/permissionsreturns Producer's permission map (non-empty), notNoneacross the board.