fix: restrict Shared Policy Group configuration

[vikrantgravitee]

Issue

https://gravitee.atlassian.net/browse/APIM-10849

Description

Shared Policy Group (SPG) configuration should only be editable by administrators.

• Introduced new permission: ENVIRONMENT_SHARED_POLICY_GROUP_CONFIGURATION
• Updated backend permission model to separate SPG management (read/list) from configuration (create/update/delete)
• Updated UI permission bindings (gioPermission) to use new configuration-level permissions
• Restricted API_PUBLISHER role to read-only access to SPG list (no configuration access)
• Removed SPG visibility for USER role entirely
• Ensured that only admins can add, edit, delete, deploy, or modify SPG configurations

This change enforces proper permission separation:

• USER: no access
• API_PUBLISHER: list SPG, use SPG
• ADMIN: full SPG management

SPG.mp4

Additional context

---

📚  View the storybook of this branch here

[gemini-code-assist]

Summary of Changes

Hello @vikrantgravitee, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and access control mechanisms for Shared Policy Groups (SPGs) by introducing a dedicated permission for configuration. This change ensures that only authorized administrators can modify SPG settings, while other user roles are granted more restrictive access or no access at all. The updates span both the backend permission definitions and the frontend UI, providing a robust and granular permission system for SPG management.

Highlights

• New Permission Introduced: A new permission, ENVIRONMENT_SHARED_POLICY_GROUP_CONFIGURATION, has been introduced to specifically control the configuration aspects of Shared Policy Groups (SPGs).
• Refined Access Control for SPGs: The backend permission model has been updated to clearly separate SPG management (read/list) from configuration actions (create/update/delete), ensuring more granular control.
• UI Permission Updates: Frontend UI components and routing have been updated to utilize the new configuration-level permissions, ensuring that UI elements are displayed or hidden based on the user's configuration rights.
• Role-Based Access Restrictions: The API_PUBLISHER role is now restricted to read-only access for SPG lists, with no configuration access. The USER role has lost all visibility of SPGs, while ADMIN retains full management capabilities.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly introduces a new permission ENVIRONMENT_SHARED_POLICY_GROUP_CONFIGURATION to restrict configuration of Shared Policy Groups (SPGs) to administrators. The changes in the UI and backend API resources consistently adopt this new permission for configuration-related actions. However, I've identified a critical issue in the default role definitions where the USER role is incorrectly granted read access to SPG configurations, which contradicts the stated goals of this PR. There are also a couple of inconsistencies in the UI routing and navigation permissions that would prevent API_PUBLISHERs from listing SPGs as intended. Please see the detailed comments for suggestions on how to resolve these issues.

[gemini-code-assist]

The PR description explicitly states that the USER role should have no access to Shared Policy Groups ("USER: no access"). This change grants the USER role READ permission on SHARED_POLICY_GROUP_CONFIGURATION, which would allow them to view SPG configurations. This is a security risk as it grants unintended permissions. This line should be removed to adhere to the principle of least privilege and the PR's requirements.

[gemini-code-assist]

This change restricts visibility of the 'Shared Policy Groups' navigation item to users with environment-shared_policy_group_configuration-r permission. However, the PR description states that an API_PUBLISHER should be able to "list SPG". API_PUBLISHERs have environment-shared_policy_group-r permission, but not the new _configuration one. This change will hide the navigation link from them, preventing them from listing SPGs from the settings page. To align with the stated requirements for API_PUBLISHER, this permission should likely remain environment-shared_policy_group-r.

Suggested change

	permissions: ['environment-shared_policy_group_configuration-r'],
	permissions: ['environment-shared_policy_group-r'],

[gemini-code-assist]

This change restricts access to the Shared Policy Groups list page to users with environment-shared_policy_group_configuration-r permission. This prevents API_PUBLISHERs from accessing this page, which contradicts the PR description stating they should be able to "list SPG". The individual actions on the list page (add, edit, delete) are already correctly protected by the new _configuration permission. To allow API_PUBLISHERs to view the list, this route permission should be reverted to environment-shared_policy_group-r.

Suggested change

	anyOf: ['environment-shared_policy_group_configuration-r'],
	anyOf: ['environment-shared_policy_group-r'],