adminfront 및 백엔드: 글로벌 사이드바 11개 전 메뉴별 ReBAC 기반 접근 제어(Admin Control) 스키마, REST API, UI 설정 패널 전격 구현 완료

2026-06-10 16:55:34 +09:00
parent 5b4efae001
commit b4f80a36b0
12 changed files with 976 additions and 113 deletions
--- a/docker/ory/keto/namespaces.ts
+++ b/docker/ory/keto/namespaces.ts
@@ -6,11 +6,69 @@ class System implements Namespace {
  related: {
    super_admins: User[]
    authenticated_users: User[]
+
+    // 🌟 신규 글로벌 메뉴 권한 (Admin Control) 정의
+    overview_viewers: User[]
+    tenants_viewers: User[]
+    org_chart_viewers: User[]
+    worksmobile_viewers: User[]
+    ory_ssot_viewers: User[]
+    data_integrity_viewers: User[]
+    users_viewers: User[]
+    permissions_direct_viewers: User[]
+    auth_guard_viewers: User[]
+    api_keys_viewers: User[]
+    audit_logs_viewers: User[]
  }

  permits = {
    manage_all: (ctx: Context): boolean =>
-      this.related.super_admins.includes(ctx.subject)
+      this.related.super_admins.includes(ctx.subject),
+
+    // 🌟 글로벌 메뉴 허가 규칙 (Permit Rules) - Super Admin은 언제나 무조건 패스
+    access_overview: (ctx: Context): boolean =>
+      this.related.overview_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_tenants: (ctx: Context): boolean =>
+      this.related.tenants_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_org_chart: (ctx: Context): boolean =>
+      this.related.org_chart_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_worksmobile: (ctx: Context): boolean =>
+      this.related.worksmobile_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_ory_ssot: (ctx: Context): boolean =>
+      this.related.ory_ssot_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_data_integrity: (ctx: Context): boolean =>
+      this.related.data_integrity_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_users: (ctx: Context): boolean =>
+      this.related.users_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_permissions_direct: (ctx: Context): boolean =>
+      this.related.permissions_direct_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_auth_guard: (ctx: Context): boolean =>
+      this.related.auth_guard_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_api_keys: (ctx: Context): boolean =>
+      this.related.api_keys_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx),
+
+    access_audit_logs: (ctx: Context): boolean =>
+      this.related.audit_logs_viewers.includes(ctx.subject) ||
+      this.permits.manage_all(ctx)
  }
 }