Agency-specific admin privileges

[GUI]

When an administrator logs into the admin part of api.data.gov, they should only be able to view their own agencies APIs configuration, analytics, etc. They should then also have the ability to publish their own API backend configuration without publishing any other pending configuration changes from other agencies.

This ticket has more of the technical details: NREL/api-umbrella#9

[GUI]

This is nearly complete and will go live as part of #123.

The one pending piece of functionality that is needed is limiting how admins can assign role requirements to API backends and users. This requires a bit more thought, since it's tricky with our current concept of roles being global, but basically one agency shouldn't be able to give a user a role that's being used by another agency to limit access.

Otherwise, here's some detail on how this feature is shaping up:

Admins can now be limited in scope so they can only operate under certain domain names or URL paths. So, for example, I could be limited in scope to api.data.gov/nrel/* This would allow me to manage any API backends and create any new API backends, as long as they started with api.data.gov/nrel/'. I took this approach of an API "scope" so that permissions aren't tied to a single API backend. This also gives agencies the freedom to setup whatever new API backends they want, as long as it exists under some URL prefix where they have ownership.

More granular permissions within a specific scope can also be granted to specific admins. This allows agencies to have users that can only access analytics vs other admins that can also manage their API configuration. In addition, admins can be granted the ability to create other admin accounts, but only within the scopes they have access to. So this should allow agencies to completely self-manage the admin accounts and permissions within their agency.

There's also an improved backend publishing process that's part of this. Agency admins can now publish API backend configuration changes if they have the appropriate permissions within their scope. The new publishing process should be a little more friendly in displaying to you what changes are being published. It also allows for a bit more flexibility, since you can pick and choose which changes get published (so everything doesn't have to go live all at once).

[shawnjohnson]

Are scope-specific rate-limits a possibility? Currently, if I change someone's rate limit, that impacts their limits across all API's. While this is not likely to be an issue in most cases, I might give someone a high limit on "my API", and they end up impacting another API instead. New issue?

[GUI]

I thought there was a ticket floating out there on that issue already, but now I can't find it. In any case, I do think that's a slightly different issue, but one that's been on my radar for quite a while, and one that I think becomes more important as we grow. I opened a new issue with some more details on that: #124

[GUI]

This should now be live. Yay!