feat: 🎸 Add grant templates for roles (#3115)

* feat: 🎸 Add grant templates for roles

* test: 💍 Add a11y ignore

* fix: 🐛 Add selected text

* test: 💍 Update tests

* refactor: 💡 Update manage scope styles to be consistent as well

* Add missing copyright headers

---------

Co-authored-by: ZedLi <5783847+ZedLi@users.noreply.github.com>

Author: ZedLi

addons/core/addon/styles/addon.scss

@@ -31,6 +31,14 @@
     }
   }
 
+  .selected-items-text {
+    display: flex;
+    justify-content: end;
+    align-items: center;
+    height: 1rem;
+    margin-bottom: 0.5rem;
+  }
+
   > div,
   table {
     margin-bottom: 1rem;
@@ -40,6 +48,11 @@
     .hds-dropdown-toggle-button__text {
       white-space: nowrap;
     }
+
+    // Remove margin if the segmented group is followed by the selected items text
+    &:has(+ .selected-items-text) {
+      margin-bottom: 0;
+    }
   }
 
   .search-filtering-toolbar {

addons/core/translations/resources/en-us.yaml

@@ -613,6 +613,53 @@ role:
     description: Grants are permissions which allow roles to take actions and access resources.
     actions:
       create: New Grant
+  grant-templates:
+    title_plural: Grant Templates
+    actions:
+      add-grant-templates: Add Grant Templates
+    messages:
+      add-grant-templates:
+        title: Add Grant Templates
+        description: Select grant templates to add to this role.
+    titles:
+      grant-strings: Grant Strings
+    templates:
+      global-admin:
+        name: Global Admin
+        description: Full administrative access to all resources in Boundary
+      org-admin:
+        name: Org Admin
+        description: Administrative access to all resources within an organization
+      project-admin:
+        name: Project Admin
+        description: Administrative access to all resources within a project
+      session-manager:
+        name: Session Manager
+        description: Can view and cancel sessions
+      target-manager:
+        name: Target Manager
+        description: Can create and manage targets
+      host-resource-manager:
+        name: Host Resource Manager
+        description: Can manage hosts and host catalogs
+      credential-manager:
+        name: Credential Manager
+        description: Can manage credentials and credential stores
+      user-manager:
+        name: User Manager
+        description: Can manage users, groups, and accounts
+      auth-method-manager:
+        name: Auth Method Manager
+        description: Can manage auth methods and managed groups
+      session-auditor:
+        name: Session Auditor
+        description: Can view session recordings
+      target-user:
+        name: Target User
+        description: Can connect to targets but cannot manage anything
+      read-only-user:
+        name: Read-Only User
+        description: Can view but not modify any resources
   scope:
     title: Scope
     title_plural: Scopes
@@ -624,7 +671,6 @@ role:
       parent_scope: Parent scope
       resource_type: Resource type
       projects_selected: Projects selected
-      selected: '{items} selected out of {total}'
     messages:
       none:
         title: No scopes added

addons/core/translations/states/en-us.yaml

@@ -29,3 +29,4 @@ incomplete-loading:
   refreshing:
     description: Updating cache...
     tooltip: Some items may not appear until the cache is finished updating
+selected-items: '{items} selected out of {total}'

ui/admin/app/components/form/role/add-grant-templates/index.hbs

@@ -0,0 +1,97 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+}}
+
+<Rose::Form
+  class='full-width search-filtering'
+  @onSubmit={{this.submit}}
+  @cancel={{@cancel}}
+  @disabled={{@model.isSaving}}
+  as |form|
+>
+  <Hds::SegmentedGroup as |S|>
+    <S.TextInput
+      @value={{@search}}
+      @type='search'
+      placeholder={{t 'actions.search'}}
+      aria-label={{t 'actions.search'}}
+      {{on 'input' @handleSearchInput}}
+    />
+  </Hds::SegmentedGroup>
+
+  {{#if this.paginatedTemplates}}
+
+    <div class='selected-items-text'>
+      {{#if this.selectedGrantTemplates}}
+        <Hds::Text::Body @tag='p' @color='faint'>
+          {{t
+            'states.selected-items'
+            items=this.selectedGrantTemplates.length
+            total=this.totalCount
+          }}
+        </Hds::Text::Body>
+      {{/if}}
+    </div>
+
+    <Hds::Table
+      @model={{this.paginatedTemplates}}
+      @columns={{array
+        (hash label=(t 'form.name.label'))
+        (hash label=(t 'resources.role.grant-templates.titles.grant-strings'))
+      }}
+      @isSelectable={{true}}
+      @onSelectionChange={{this.onSelectionChange}}
+      @valign='middle'
+    >
+      <:body as |B|>
+        <B.Tr
+          @selectionKey={{B.data.id}}
+          @isSelected={{includes B.data.id this.selectedGrantTemplates}}
+          @selectionAriaLabelSuffix='row {{B.data.id}}'
+        >
+          <B.Td>
+            <Hds::Text::Body @tag='p' @weight='semibold'>
+              {{B.data.name}}
+            </Hds::Text::Body>
+            <Hds::Text::Body @tag='p'>
+              {{B.data.description}}
+            </Hds::Text::Body>
+          </B.Td>
+          <B.Td>
+            <ul>
+              {{#each B.data.grantStrings as |grantString|}}
+                <li>
+                  <Hds::Text::Code @tag='code'>{{grantString}}</Hds::Text::Code>
+                </li>
+              {{/each}}
+            </ul>
+          </B.Td>
+        </B.Tr>
+      </:body>
+    </Hds::Table>
+    <Rose::Pagination
+      @totalItems={{this.filteredTemplates.length}}
+      @currentPage={{@page}}
+      @currentPageSize={{@pageSize}}
+    />
+    <form.actions
+      @submitText={{t
+        'resources.role.grant-templates.actions.add-grant-templates'
+      }}
+      @cancelText={{t 'actions.cancel'}}
+    />
+  {{else}}
+    <Hds::ApplicationState data-test-no-grant-template-results as |A|>
+      <A.Header @title={{t 'titles.no-results-found'}} />
+      <A.Body
+        @text={{t
+          'descriptions.no-search-results'
+          query=@search
+          resource=(t 'resources.role.grant-templates.title_plural')
+        }}
+      />
+    </Hds::ApplicationState>
+  {{/if}}
+
+</Rose::Form>

ui/admin/app/components/form/role/add-grant-templates/index.js

@@ -0,0 +1,195 @@
+/**
+ * Copyright IBM Corp. 2021, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Component from '@glimmer/component';
+import { action } from '@ember/object';
+import { tracked } from '@glimmer/tracking';
+import { service } from '@ember/service';
+
+export default class FormRoleAddGrantTemplatesIndexComponent extends Component {
+  // =services
+
+  @service intl;
+
+  // =properties
+
+  @tracked selectedGrantTemplates = [];
+
+  /**
+   * Grant template definitions with their grant strings.
+   * @type {Array<{id: string, grantStrings: Array<string>}>}
+   */
+  grantTemplateDefinitions = [
+    {
+      id: 'global-admin',
+      grantStrings: ['ids=*;type=*;actions=*'],
+    },
+    {
+      id: 'org-admin',
+      grantStrings: [
+        'ids=<org-id>;type=scope;actions=*',
+        'ids=*;type=auth-method;actions=*',
+        'ids=*;type=user;actions=*',
+        'ids=*;type=group;actions=*',
+        'ids=*;type=role;actions=*',
+      ],
+    },
+    {
+      id: 'project-admin',
+      grantStrings: [
+        'ids=<project-id>;type=scope;actions=*',
+        'ids=*;type=host-catalog;actions=*',
+        'ids=*;type=target;actions=*',
+        'ids=*;type=credential-store;actions=*',
+        'ids=*;type=session;actions=*',
+      ],
+    },
+    {
+      id: 'session-manager',
+      grantStrings: [
+        'ids=*;type=session;actions=list,read,cancel',
+        'ids=*;type=target;actions=read,list',
+      ],
+    },
+    {
+      id: 'target-manager',
+      grantStrings: [
+        'ids=*;type=target;actions=create,list,read,update,delete,add-host-sources,set-host-sources,remove-host-sources,add-credential-sources,set-credential-sources,remove-credential-sources',
+      ],
+    },
+    {
+      id: 'host-resource-manager',
+      grantStrings: [
+        'ids=*;type=host-catalog;actions=create,list,read,update,delete',
+        'ids=*;type=host-set;actions=create,read,update,delete,add-hosts,set-hosts,remove-hosts',
+        'ids=*;type=host;actions=create,read,update,delete',
+      ],
+    },
+    {
+      id: 'credential-manager',
+      grantStrings: [
+        'ids=*;type=credential;actions=create,read,update,delete',
+        'ids=*;type=credential-store;actions=create,list,read,update,delete',
+        'ids=*;type=credential-library;actions=create,read,update,delete',
+      ],
+    },
+    {
+      id: 'user-manager',
+      grantStrings: [
+        'ids=*;type=user;actions=create,list,read,update,delete,add-accounts,set-accounts,remove-accounts',
+        'ids=*;type=group;actions=create,list,read,update,delete,add-members,set-members,remove-members',
+        'ids=*;type=account;actions=create,read,update,delete',
+      ],
+    },
+    {
+      id: 'auth-method-manager',
+      grantStrings: [
+        'ids=*;type=auth-method;actions=create,list,read,update,delete,change-state',
+        'ids=*;type=managed-group;actions=create,read,update,delete',
+      ],
+    },
+    {
+      id: 'session-auditor',
+      grantStrings: [
+        'ids=*;type=session;actions=list,read',
+        'ids=*;type=session-recording;actions=list,read,download',
+      ],
+    },
+    {
+      id: 'target-user',
+      grantStrings: [
+        'ids=*;type=target;actions=authorize-session,read,list',
+        'ids=*;type=session;actions=read:self,cancel:self',
+      ],
+    },
+    {
+      id: 'read-only-user',
+      grantStrings: ['ids=*;type=session;actions=list,read,cancel'],
+    },
+  ];
+
+  /**
+   * Grant templates with translated names and descriptions.
+   * @type {Array<{id: string, name: string, grantStrings: Array<string>, description: string}>}
+   */
+  get grantTemplates() {
+    return this.grantTemplateDefinitions.map((template) => ({
+      id: template.id,
+      name: this.intl.t(
+        `resources.role.grant-templates.templates.${template.id}.name`,
+      ),
+      grantStrings: template.grantStrings,
+      description: this.intl.t(
+        `resources.role.grant-templates.templates.${template.id}.description`,
+      ),
+    }));
+  }
+
+  /**
+   * Filtered grant templates based on search query.
+   * @return {Array<{id: string, name: string, grantStrings: Array<string>, description: string}>}
+   */
+  get filteredTemplates() {
+    let filteredTemplates = this.grantTemplates;
+
+    if (this.args.search) {
+      filteredTemplates = this.grantTemplates.filter((template) => {
+        const searchTerm = this.args.search?.toLowerCase() ?? '';
+        return (
+          template.name.toLowerCase().includes(searchTerm) ||
+          template.description.toLowerCase().includes(searchTerm) ||
+          template.grantStrings.some((grant) => grant.includes(searchTerm))
+        );
+      });
+    }
+
+    return filteredTemplates;
+  }
+
+  /**
+   * Paginated templates for current page.
+   * @type {Array}
+   */
+  get paginatedTemplates() {
+    return this.filteredTemplates.slice(
+      (this.args.page - 1) * this.args.pageSize,
+      this.args.page * this.args.pageSize,
+    );
+  }
+
+  get totalCount() {
+    return this.grantTemplateDefinitions.length;
+  }
+  // =actions
+
+  @action
+  onSelectionChange({ selectionKey, selectedRowsKeys }) {
+    const oldKeys = new Set(this.selectedGrantTemplates);
+    if (selectionKey === 'all') {
+      const newKeys = new Set(selectedRowsKeys);
+      if (newKeys.size === 0) {
+        this.selectedGrantTemplates = [...newKeys.difference(oldKeys)];
+      } else {
+        this.selectedGrantTemplates = [...newKeys.union(oldKeys)];
+      }
+    } else {
+      if (oldKeys.has(selectionKey)) {
+        oldKeys.delete(selectionKey);
+      } else {
+        oldKeys.add(selectionKey);
+      }
+      this.selectedGrantTemplates = [...oldKeys];
+    }
+  }
+
+  @action
+  submit() {
+    // Convert selected template IDs to their grant strings
+    const grantStrings = this.grantTemplates
+      .filter((template) => this.selectedGrantTemplates.includes(template.id))
+      .flatMap((template) => template.grantStrings);
+    this.args.submit(grantStrings);
+  }
+}