Add field user.roles

[webmat]

This array field is meant to capture a list of role names that apply to the user, in an audit log or other RBAC event.

Closes #915

[webmat]

@legrego @ebeahan Do you think I'm conflating two things here, by discussing roles and groups together?

[legrego]

I tend to think of groups as a collection of users, whereas a role is a collection of privileges. Groups are often used to model user roles within an organization though.

In my opinion, I think it makes sense to treat these as separate concepts, and only mention roles here

[webmat]

Conversely, do you think group.roles would be appropriate, then?

I realize ES doesn't have the concept of groups. But in systems that do, roles/privileges can be granted to a group as well.

Note that I'm just trying to make sure we're not missing anything obvious here. But it's probably fine to move forward with adding only this one field, and only add group.role later, if it becomes necessary.

[ebeahan]

I thought about if a group.roles field would be appropriate too.

While roles assigned to groups, it's ultimately a user who authenticates and is authorized with the roles group membership grants. So I'm not sure if group.role would be as useful right away, but I also agree we could easily add it later if necessary.

[legrego]

I agree with @ebeahan - we can introduce group.role at a later date if the need arises

[webmat]

I've completely removed all talk about groups. Actually the field description is only the short description now:

Array of user roles at the time of the event.

Do you think anything else is needed here?

[ebeahan]

Concise but clear - I think the short description works.

[webmat]

I like that this addition is a laser focused addition of one field. However I'd be curious to know if there's more fields we may want to capture, that are also important to audit logs mentioning user roles.

[ebeahan]

LGTM 👍

[legrego]

LGTM, thanks for the quick turnaround!