Scopes: Adds scope to control who can create and edit users + view a user audit page

[jpye-finch]

Description

Adds scope to control who can create and edit users

Notes! A user with user.create:my-jurisdiction cannot create or edit a user with user.create:all and user.update:alleven if the users are in the same office

user.create:all
user.create:my-jurisdiction
user.update:all
user.update:my-jurisdiction
user.read:all
user.read:my-jurisdiction
user.read:my-office
user.read:only-my-audit

https://www.notion.so/opencrvs/User-Scopes-e827de98050c409fa1cfa5a2e4ea7050?pvs=4

ACs

GIVEN i have the scope user.create:all
THEN I can create a user in any location

GIVEN i have the scope user.create:my-jurisdiction
THEN I can create a user only in my jurisdiction

!!
GIVEN i have the scope user.create:my-jurisdiction
THEN I can not create a user with user.create:all

GIVEN i have the scope user.update:all
THEN I can update a user details in any location

GIVEN i have the scope user.update:my-jurisdiction
THEN I can update a user details in my jurisdiction

!!
GIVEN i have the scope user.update:my-jurisdiction
THEN I can not update a user with user.update:all

User Read Push to 1.8?
These scopes control the username links found in Team Office pages

GIVEN i have the scope user.read:all
THEN I can view all User audit views

GIVEN i have the scope user.read:my-jurisdiction
THEN I can view all User audit views for users in my jurisdiction

GIVEN i have the scope user.read:my-office
THEN I can view all User audit views for users in my office

GIVEN i have the scope user.read:only-my-audit
THEN I can only view my user audit view

[euanmillar]

@jpye-finch requirement from Somalia coming in. They need a scope about whether a user can delete another user or not. Would user.update:all cover that or do we need that explicitly mentioned. FYI @rikukissa @anninawersun

[tiri39]

1. Bug description: Any user having the scope user.read:my-office / user.read:my-jurisdiction can navigate to user audit page of other users (out of their office / jurisdiction) by clicking their profile picture icon.

   Recording:

   Farajaland.CRS.-.Google.Chrome.2024-12-30.18-05-29-c.mp4

2. Bug description: Any user having the scopes - user.read:only-my-audit (or no user.read scopes at all) and user.update:my-jurisdiction/ user.update:all cannot update details of any user except themselves.

   Recording:

   Farajaland.CRS.-.Google.Chrome.2024-12-30.18-40-12-c.mp4

[tiri39]

1.Any user having the scope user.read:my-office / user.read:my-jurisdiction can navigate to user audit page of other users (out of their office / jurisdiction) by clicking their profile picture icon. - FIXED.

Farajaland.CRS.-.Google.Chrome.2025-01-02.13-08-46-c.mp4

2.Any user having the scopes - user.read:only-my-audit (or no user.read scopes at all) and user.update:my-jurisdiction/ user.update:all cannot update details of any user except themselves. - FIXED.

Role.Permissions.-.Google.Chrome.2025-01-02.15-16-56-c.mp4

[tiri39]

Bug description: If any user having user.update:all / user.update:my-jurisdiction scope doesn't have user.create:all / user.create:my-jurisdiction scope, he cannot change user role of any user while updating.

Role.Permissions.-.Google.Chrome.2025-01-02.16-33-51-c.mp4

[tiri39]

Fixed.

Role.Permissions.-.Google.Chrome.2025-01-06.13-38-34-c.mp4