adminfront 및 백엔드: 전 메뉴 및 탭 수준 ReBAC 기반 접근 제어(Admin Control) 기능 추가 구현 완료

docker/ory/keto/namespaces.ts

@@ -7,7 +7,7 @@ class System implements Namespace {
     super_admins: User[]
     authenticated_users: User[]
 
-    // 🌟 신규 글로벌 메뉴 권한 (Admin Control) 정의
+    // 🌟 신규 글로벌 메뉴 권한 (Admin Control) 정의 - 조회(Read)
     overview_viewers: User[]
     tenants_viewers: User[]
     org_chart_viewers: User[]
@@ -19,55 +19,112 @@ class System implements Namespace {
     auth_guard_viewers: User[]
     api_keys_viewers: User[]
     audit_logs_viewers: User[]
+
+    // 🌟 신규 글로벌 메뉴 권한 (Admin Control) 정의 - 수정(Write)
+    overview_managers: User[]
+    tenants_managers: User[]
+    org_chart_managers: User[]
+    worksmobile_managers: User[]
+    ory_ssot_managers: User[]
+    data_integrity_managers: User[]
+    users_managers: User[]
+    permissions_direct_managers: User[]
+    auth_guard_managers: User[]
+    api_keys_managers: User[]
+    audit_logs_managers: User[]
   }
 
   permits = {
     manage_all: (ctx: Context): boolean =>
       this.related.super_admins.includes(ctx.subject),
 
-    // 🌟 글로벌 메뉴 허가 규칙 (Permit Rules) - Super Admin은 언제나 무조건 패스
+    // 🌟 글로벌 메뉴 허가 규칙 (Permit Rules) - 조회(access_)와 수정(manage_) 완전 분리 이원화
     access_overview: (ctx: Context): boolean =>
       this.related.overview_viewers.includes(ctx.subject) ||
+      this.permits.manage_overview(ctx),
+
+    manage_overview: (ctx: Context): boolean =>
+      this.related.overview_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_tenants: (ctx: Context): boolean =>
       this.related.tenants_viewers.includes(ctx.subject) ||
+      this.permits.manage_tenants(ctx),
+
+    manage_tenants: (ctx: Context): boolean =>
+      this.related.tenants_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_org_chart: (ctx: Context): boolean =>
       this.related.org_chart_viewers.includes(ctx.subject) ||
+      this.permits.manage_org_chart(ctx),
+
+    manage_org_chart: (ctx: Context): boolean =>
+      this.related.org_chart_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_worksmobile: (ctx: Context): boolean =>
       this.related.worksmobile_viewers.includes(ctx.subject) ||
+      this.permits.manage_worksmobile(ctx),
+
+    manage_worksmobile: (ctx: Context): boolean =>
+      this.related.worksmobile_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_ory_ssot: (ctx: Context): boolean =>
       this.related.ory_ssot_viewers.includes(ctx.subject) ||
+      this.permits.manage_ory_ssot(ctx),
+
+    manage_ory_ssot: (ctx: Context): boolean =>
+      this.related.ory_ssot_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_data_integrity: (ctx: Context): boolean =>
       this.related.data_integrity_viewers.includes(ctx.subject) ||
+      this.permits.manage_data_integrity(ctx),
+
+    manage_data_integrity: (ctx: Context): boolean =>
+      this.related.data_integrity_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_users: (ctx: Context): boolean =>
       this.related.users_viewers.includes(ctx.subject) ||
+      this.permits.manage_users(ctx),
+
+    manage_users: (ctx: Context): boolean =>
+      this.related.users_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_permissions_direct: (ctx: Context): boolean =>
       this.related.permissions_direct_viewers.includes(ctx.subject) ||
+      this.permits.manage_permissions_direct(ctx),
+
+    manage_permissions_direct: (ctx: Context): boolean =>
+      this.related.permissions_direct_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_auth_guard: (ctx: Context): boolean =>
       this.related.auth_guard_viewers.includes(ctx.subject) ||
+      this.permits.manage_auth_guard(ctx),
+
+    manage_auth_guard: (ctx: Context): boolean =>
+      this.related.auth_guard_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_api_keys: (ctx: Context): boolean =>
       this.related.api_keys_viewers.includes(ctx.subject) ||
+      this.permits.manage_api_keys(ctx),
+
+    manage_api_keys: (ctx: Context): boolean =>
+      this.related.api_keys_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx),
 
     access_audit_logs: (ctx: Context): boolean =>
       this.related.audit_logs_viewers.includes(ctx.subject) ||
+      this.permits.manage_audit_logs(ctx),
+
+    manage_audit_logs: (ctx: Context): boolean =>
+      this.related.audit_logs_managers.includes(ctx.subject) ||
       this.permits.manage_all(ctx)
   }
 }