# Roles in pulpcore # Goals * add roles that can be assigned to users or groups of users to transitively grant permissions * simplicity - initially can be achieved by restricting role creation to plugin writers * make existence of RBAC completely configurable # Implementation * role definitions will live in an access policy. a default policy is provided by plugin writers. ## Todo to support Implementation * refactor queryset restriction get_queryset() function for filtering objects for a specific user * TODO: get_objects_for_user() function for filtering objects by permission * replace the access policy assignment to not be permission based but instead role-based facilities * e.g. replace add_for_users and add_for_groups to not use guardians * Remove the django-admin guardian things * currently ModelAdmin objects inherit from django-guardian * Need to remove the group permission endpoints ## Timeline 3.16 - Add all the things 3.17 - remove django guardian from the stack ## Future Implementation * Add facilities in the API to list roles * Add facilities in the API to add global roles to users * Add facilities in the API to add global roles to groups * Add facilities in the API to add global roles to users for specific objects * Add facilities in the API to add global roles to groups for specific objects Note: users would not be able to do these operations ^ at a "permission" level # Use cases * Access policy is only created/updated before anything exists in Pulp ###### tags: `RBAC`