Assign Permission to Users per Channel

[Draykee]

Is your feature request related to a problem? Please describe.
Currently, assigning permissions in our system is rigid and inefficient because roles are directly tied to users and channels independently. This setup forces us to create multiple roles for each channel even if they share similar permissions.

For instance, if I want to assign admin (role) permissions to a user for Channel X and only support (role) permissions for the same user on Channel Y, I must create duplicate roles for each channel, when I want to have each admin and support roles for the channels. This results in a complex and error-prone permission management process once you work with multiple channels and roles.

Describe the solution you'd like
I propose a more flexible permission assignment system where roles can be assigned based on a combination of user and channel. Instead of binding a role solely to a user or a channel, we would assign roles to a pair of user + channel (UserChannelRole).
This approach would allow for precise control over permissions on a per-channel basis without the need to duplicate roles across different channels. For example, a user could be assigned the 'admin' role on Channel X and 'support' on Channel Y with just a single assignment operation per channel.

Describe alternatives you've considered
I can't think of any simpler alternative. The current alternative is to create new roles every time.

Additional context
Implementing this feature would significantly streamline our permission management process, reducing administrative overhead and the potential for errors.

[DanielBiegler]

Yes please. For anyone that wants a concrete example, see the POC multi vendor plugin inside the service.

vendure/packages/dev-server/example-plugins/multivendor-plugin/service/mv.service.ts

Lines 138 to 172 in 1b4c50f

	const role = await this.roleService.create(ctx, {
	code: `${shopCode}-admin`,
	channelIds: [channel.id],
	description: `Administrator of ${input.shopName}`,
	permissions: [
	Permission.CreateCatalog,
	Permission.UpdateCatalog,
	Permission.ReadCatalog,
	Permission.DeleteCatalog,
	Permission.CreateOrder,
	Permission.ReadOrder,
	Permission.UpdateOrder,
	Permission.DeleteOrder,
	Permission.ReadCustomer,
	Permission.ReadPaymentMethod,
	Permission.ReadShippingMethod,
	Permission.ReadPromotion,
	Permission.ReadCountry,
	Permission.ReadZone,
	Permission.CreateCustomer,
	Permission.UpdateCustomer,
	Permission.DeleteCustomer,
	Permission.CreateTag,
	Permission.ReadTag,
	Permission.UpdateTag,
	Permission.DeleteTag,
	],
	});
	const administrator = await this.administratorService.create(ctx, {
	firstName: input.seller.firstName,
	lastName: input.seller.lastName,
	emailAddress: input.seller.emailAddress,
	password: input.seller.password,
	roleIds: [role.id],
	});

)

You gotta create ${shopCode}-admin roles per seller which becomes a PITA quite quick once you need to add/remove a permission for all "*-admin" roles. Or is there an ergonomic way to deal with it right now @Draykee ? I dont think so?

[Draykee]

I also had to solve it like this as well. I will most likely run a database query to add/remove permissions to roles.

We already have 50+ roles, and we didn't even fully launch the feature yet. In the future we also need admin, moderator, etc. roles per channel, so the amount of roles will at least 3x.

@dlhck If you guys decide to bring the rework earlier, I'm down to help with contributions. I believe the rework might actually be smaller then we think. The biggest part might be the UI and the migration script

[mschipperheyn]

One aspect that I hope this approach will "automatically solve" is ensure that administrator CRUD becomes channel specific. Currently anyone with ReadAdministrator UpdateAdministrator privilege can read/update administrators on an entire MultiVendor environment