question

Paul Pacheco avatar image
Paul Pacheco asked

Group roles

I am using entity groups for a clan system.

I can create role with CreateRole, but how do I manage permissions? In particular, say I have a clan with the following roles:

  • Master,
  • Vice,
  • Member

I want vice to be able to invite/kick members.

I want master to be able to promote /demote Vice and invite/kick members

I can't find anywhere in the docs how to set up role policies.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
JayZuo avatar image
JayZuo answered

There is no official document about Group Policy for now. Share my solution for your request.

Firstly, you will need to add a "Vice" role in this group as by default, there are already "admins" and "members". "Admins" have the full control of the group by default and the player who created the group is the admin. You can add a role with CreateRole method.

And then, modify this group's policy with SetProfilePolicy to allow vice to be able to invite/kick members. Before setting, you need to get the default policy with GetProfile first.

This will return a list of permissions like:

    "Permissions": [
        {
            "Resource": "pfrn:group--*!*",
            "Action": "Read",
            "Effect": "Allow",
            "Principal": {
                "ChildOf": {
                    "EntityType": "title",
                    "EntityId": "****"
                }
            },
            "Comment": "Allow all entities to read the group's metadata, such as name"
        },
        {
            "Resource": "pfrn:group--*!*",
            "Action": "*",
            "Effect": "Allow",
            "Principal": {
                "MemberOf": {
                    "RoleId": "admins"
                }
            },
            "Comment": "Allow members of the group administrator role to modify the group metadata"
        },
        {
            "Resource": "pfrn:data--*!*/Profile/*",
            "Action": "Read",
            "Effect": "Allow",
            "Principal": {
                "MemberOf": {
                    "RoleId": "*"
                }
            },
            "Comment": "Allow members of the group to read entity profile data and files"
        },
        {
            "Resource": "pfrn:data--*!*/*",
            "Action": "*",
            "Effect": "Allow",
            "Principal": {
                "MemberOf": {
                    "RoleId": "admins"
                }
            },
            "Comment": "Allow members of the group administrator role to modify group profile data and files"
        },
        {
            "Resource": "pfrn:group--*!*/*",
            "Action": "*",
            "Effect": "Allow",
            "Principal": {
                "MemberOf": {
                    "RoleId": "admins"
                }
            },
            "Comment": "Allow members of the group administrator role to do anything with the group"
        },
        {
            "Resource": "pfrn:group--*!*/Members/*",
            "Action": "Read",
            "Effect": "Allow",
            "Principal": {
                "MemberOf": {
                    "RoleId": "*"
                }
            },
            "Comment": "Allow members of the group to view members of the group"
        },
        {
            "Resource": "pfrn:group--*!*/Roles/*",
            "Action": "Read",
            "Effect": "Allow",
            "Principal": {
                "MemberOf": {
                    "RoleId": "*"
                }
            },
            "Comment": "Allow members of the group to read all roles in the group"
        },
        {
            "Resource": "pfrn:group--*!*/Applications/*",
            "Action": "Create",
            "Effect": "Allow",
            "Principal": {
                "ChildOf": {
                    "EntityType": "title",
                    "EntityId": "****"
                }
            },
            "Comment": "Allow all entities to apply to join the group"
        },
        {
            "Resource": "pfrn:group--*!*/Members/[SELF]",
            "Action": "RemoveMember",
            "Effect": "Allow",
            "Principal": {
                "ChildOf": {
                    "EntityType": "title",
                    "EntityId": "****"
                }
            },
            "Comment": "Allow entities to leave the group"
        },
        {
            "Resource": "pfrn:group--*!*/Roles/*/Members/[SELF]",
            "Action": "RemoveMember",
            "Effect": "Allow",
            "Principal": {
                "ChildOf": {
                    "EntityType": "title",
                    "EntityId": "****"
                }
            },
            "Comment": "Allow entities to leave any role that they are in"
        }
    ]

And you can add two permissions for vices:

        {
            "Resource": "pfrn:group--*!*/Invitations/*",
            "Action": "Create",
            "Effect": "Allow",
            "Principal": {
                "MemberOf": {
                    "RoleId": "vices"
                }
            },
            "Comment": "Allow vices of the group to invite other players"
        },
        {
            "Resource": "pfrn:group--*!*/Members/*",
            "Action": "RemoveMember",
            "Effect": "Allow",
            "Principal": {
                "MemberOf": {
                    "RoleId": "vices"
                }
            },
            "Comment": "Allow vices of the group to kick members"
        }

Then put all these permissions into Statements property for updating. Once the policy is correctly updated, your clan system should be able to work.


2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Paul Pacheco avatar image Paul Pacheco commented ·

Thank you very much! very helpful.

Since we are using wildcards for pfrn:group--*!*/Members/*, can these policies be added in the API Features? or they need to be added to each group that I create?

0 Likes 0 ·
JayZuo avatar image JayZuo ♦ Paul Pacheco commented ·

I just did a quick test, it seems work. You can try to add above group policy into ENTITY GLOBAL TITLE POLICY and have some tests. If you have any issue, please let me know.

Besides, there is an issue in above policy. Although vices can kick members, but they can also kick admins, I think this is not what you want and I didn't find a solution within group policy. Maybe using CloudScript might be a better solution for your scenario.

1 Like 1 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.