Hi team, a couple of things I ran into:
1) I was getting an ambiguous error logging into my app with a test user.
I worked out it was because I was sourcing the agent login display name from the organisations app and this user role didn't have the data access read role assigned to their role. I fixed that up and its working now.
Would it be possible to make the error message more explicit about which resource or action is denied in some sort of details view, or to put an error in the system > log if you want to keep the end user dialog simple? Would save a bit of a trial and error hunt for which resource was missing.
2) I initially struggled to work out how to make my roles members of data access roles in the organisation app. But then I realised the properties window is not visible by default and it was in any case not accessible to the 'everyone' role, only on my own roles.
Could you explain a little about how the everyone role fits into any permissions inheritance or how it is meant to be used? My guesses are that all users of my app get the base layer of permissions assigned to 'everyone' and then my read/write/admin roles are layered on top of that? Is that a correct assumption? If yes, it would be useful to be able to add data_access read role once under 'everyone' here rather than to each role. Or is the thinking that this will make it harder to visualise overall permissions as things start to get split up between two places to look?
My other thought was that 'everyone' is used as a template when you create your own roles, but that doesn't seem to be the case.