Refactor user organization roles and enhance database schema

- Updated the UserOrganizationRole enum to include new roles: WorkspaceAdmin, DataAdmin, Querier, RestrictedQuerier, and Viewer, replacing the previous roles of Owner, Member, and Admin.
- Modified the TeamToUserRole enum to change the Owner role to Manager.
- Added new database tables for dataset_groups, dataset_permissions, datasets_to_dataset_groups, and permission_groups_to_users to support enhanced data management.
- Introduced UserOrganizationStatusEnum to the schema for better organization status tracking.

These changes improve role management and expand the database schema for better data organization and permissions handling.

api/migrations/2025-01-08-163102_add_dataset_groups_adjust_teams_adjust_permissions/down.sql

@@ -0,0 +1,50 @@
+-- This file should undo anything in `up.sql`
+-- Revert team role enum changes
+ALTER TYPE team_role_enum RENAME TO team_role_enum_old;
+CREATE TYPE team_role_enum AS ENUM ('owner', 'member');
+ALTER TABLE teams_to_users ALTER COLUMN role TYPE team_role_enum USING
+  CASE 
+    WHEN role::text = 'manager' THEN 'owner'::team_role_enum
+    ELSE role::text::team_role_enum
+  END;
+DROP TYPE team_role_enum_old;
+
+-- Drop dataset permissions related tables and indexes
+DROP INDEX dataset_permissions_dataset_id_idx;
+DROP INDEX dataset_permissions_permission_lookup_idx;
+DROP INDEX dataset_permissions_deleted_at_idx;
+DROP TABLE dataset_permissions;
+
+-- Drop permission groups join table and index
+DROP INDEX permission_groups_to_users_user_id_idx;
+DROP TABLE permission_groups_to_users;
+
+-- Drop dataset groups join table and index
+DROP INDEX datasets_to_dataset_groups_dataset_group_id_idx;
+DROP TABLE datasets_to_dataset_groups;
+
+-- Drop dataset groups table and index
+DROP INDEX dataset_groups_deleted_at_idx;
+DROP TABLE dataset_groups;
+
+-- Remove status column and enum
+ALTER TABLE users_to_organizations DROP COLUMN status;
+DROP TYPE user_organization_status_enum;
+
+-- Revert user organization role changes
+ALTER TABLE users_to_organizations ALTER COLUMN role DROP DEFAULT;
+
+ALTER TYPE user_organization_role_enum RENAME TO user_organization_role_enum_old;
+CREATE TYPE user_organization_role_enum AS ENUM ('owner', 'admin', 'querier');
+
+ALTER TABLE users_to_organizations
+    ALTER COLUMN role TYPE user_organization_role_enum
+    USING CASE
+        WHEN role::text = 'workspace_admin' THEN 'owner'
+        WHEN role::text = 'data_admin' THEN 'admin'
+        ELSE 'querier'
+    END::user_organization_role_enum;
+
+ALTER TABLE users_to_organizations ALTER COLUMN role SET DEFAULT 'querier';
+
+DROP TYPE user_organization_role_enum_old;

api/migrations/2025-01-08-163102_add_dataset_groups_adjust_teams_adjust_permissions/up.sql

@@ -0,0 +1,109 @@
+-- Your SQL goes here
+-- Update user_organization_role enum
+ALTER TABLE users_to_organizations ALTER COLUMN role DROP DEFAULT;
+
+ALTER TYPE user_organization_role_enum RENAME TO user_organization_role_enum_old;
+
+CREATE TYPE user_organization_role_enum AS ENUM (
+    'workspace_admin',
+    'data_admin', 
+    'querier',
+    'restricted_querier',
+    'viewer'
+);
+
+ALTER TABLE users_to_organizations 
+    ALTER COLUMN role TYPE user_organization_role_enum 
+    USING CASE 
+        WHEN role::text = 'owner' THEN 'workspace_admin'
+        WHEN role::text = 'admin' THEN 'data_admin'
+        ELSE 'querier'
+    END::user_organization_role_enum;
+
+-- Set new default
+ALTER TABLE users_to_organizations ALTER COLUMN role SET DEFAULT 'querier';
+
+DROP TYPE user_organization_role_enum_old;
+
+-- Add status enum and column
+CREATE TYPE user_organization_status_enum AS ENUM (
+    'active',
+    'inactive',
+    'pending',
+    'guest'
+);
+
+ALTER TABLE users_to_organizations
+    ADD COLUMN status user_organization_status_enum NOT NULL DEFAULT 'active';
+
+-- Create dataset_groups table
+CREATE TABLE dataset_groups (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    name VARCHAR NOT NULL,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    deleted_at TIMESTAMP WITH TIME ZONE
+);
+
+-- Add index on deleted_at for soft delete queries
+CREATE INDEX dataset_groups_deleted_at_idx ON dataset_groups(deleted_at);
+
+-- Create datasets_to_dataset_groups join table
+CREATE TABLE datasets_to_dataset_groups (
+    dataset_id UUID NOT NULL REFERENCES datasets(id) ON DELETE CASCADE,
+    dataset_group_id UUID NOT NULL REFERENCES dataset_groups(id) ON DELETE CASCADE,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (dataset_id, dataset_group_id)
+);
+
+-- Add index for faster lookups
+CREATE INDEX datasets_to_dataset_groups_dataset_group_id_idx ON datasets_to_dataset_groups(dataset_group_id);
+
+-- Create permission_groups_to_users join table
+CREATE TABLE permission_groups_to_users (
+    permission_group_id UUID NOT NULL REFERENCES permission_groups(id) ON DELETE CASCADE,
+    user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (permission_group_id, user_id)
+);
+
+-- Add index for faster lookups
+CREATE INDEX permission_groups_to_users_user_id_idx ON permission_groups_to_users(user_id);
+
+-- Create dataset_permissions table
+CREATE TABLE dataset_permissions (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    dataset_id UUID NOT NULL REFERENCES datasets(id) ON DELETE CASCADE,
+    permission_id UUID NOT NULL,
+    permission_type VARCHAR NOT NULL CHECK (
+        permission_type IN ('user', 'dataset_group', 'permission_group')
+    ),
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    deleted_at TIMESTAMP WITH TIME ZONE,
+    UNIQUE(dataset_id, permission_id, permission_type)
+);
+
+-- Add indexes for faster lookups and soft deletes
+CREATE INDEX dataset_permissions_deleted_at_idx ON dataset_permissions(deleted_at);
+CREATE INDEX dataset_permissions_permission_lookup_idx ON dataset_permissions(permission_id, permission_type);
+CREATE INDEX dataset_permissions_dataset_id_idx ON dataset_permissions(dataset_id);
+
+-- Drop default before type change
+ALTER TABLE teams_to_users ALTER COLUMN role DROP DEFAULT;
+
+-- Update team_role_enum
+ALTER TYPE team_role_enum RENAME TO team_role_enum_old;
+CREATE TYPE team_role_enum AS ENUM ('manager', 'member');
+ALTER TABLE teams_to_users ALTER COLUMN role TYPE team_role_enum USING 
+  CASE 
+    WHEN role::text = 'owner' THEN 'manager'::team_role_enum
+    ELSE role::text::team_role_enum
+  END;
+
+-- Set new default
+ALTER TABLE teams_to_users ALTER COLUMN role SET DEFAULT 'member';
+
+DROP TYPE team_role_enum_old;
+
+

api/src/database/enums.rs

@@ -38,9 +38,11 @@ pub enum MessageFeedback {
 #[diesel(sql_type = sql_types::UserOrganizationRoleEnum)]
 #[serde(rename_all = "camelCase")]
 pub enum UserOrganizationRole {
-    Owner,
+    WorkspaceAdmin,
-    Member,
+    DataAdmin,
-    Admin,
+    Querier,
+    RestrictedQuerier,
+    Viewer,
 }
 
 #[derive(
@@ -57,9 +59,8 @@ pub enum UserOrganizationRole {
 #[diesel(sql_type = sql_types::TeamRoleEnum)]
 #[serde(rename_all = "camelCase")]
 pub enum TeamToUserRole {
-    Owner,
+    Manager,
     Member,
-    Admin,
 }
 
 #[derive(
@@ -528,9 +529,11 @@ impl FromSql<sql_types::AssetPermissionRoleEnum, Pg> for AssetPermissionRole {
 impl ToSql<sql_types::UserOrganizationRoleEnum, Pg> for UserOrganizationRole {
     fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, Pg>) -> serialize::Result {
         match *self {
-            UserOrganizationRole::Owner => out.write_all(b"owner")?,
+            UserOrganizationRole::WorkspaceAdmin => out.write_all(b"workspace_admin")?,
-            UserOrganizationRole::Member => out.write_all(b"member")?,
+            UserOrganizationRole::DataAdmin => out.write_all(b"data_admin")?,
-            UserOrganizationRole::Admin => out.write_all(b"admin")?,
+            UserOrganizationRole::Querier => out.write_all(b"querier")?,
+            UserOrganizationRole::RestrictedQuerier => out.write_all(b"restricted_querier")?,
+            UserOrganizationRole::Viewer => out.write_all(b"viewer")?,
         }
         Ok(IsNull::No)
     }
@@ -539,9 +542,11 @@ impl ToSql<sql_types::UserOrganizationRoleEnum, Pg> for UserOrganizationRole {
 impl FromSql<sql_types::UserOrganizationRoleEnum, Pg> for UserOrganizationRole {
     fn from_sql(bytes: PgValue<'_>) -> deserialize::Result<Self> {
         match bytes.as_bytes() {
-            b"owner" => Ok(UserOrganizationRole::Owner),
+            b"workspace_admin" => Ok(UserOrganizationRole::WorkspaceAdmin),
-            b"member" => Ok(UserOrganizationRole::Member),
+            b"data_admin" => Ok(UserOrganizationRole::DataAdmin),
-            b"admin" => Ok(UserOrganizationRole::Admin),
+            b"querier" => Ok(UserOrganizationRole::Querier),
+            b"restricted_querier" => Ok(UserOrganizationRole::RestrictedQuerier),
+            b"viewer" => Ok(UserOrganizationRole::Viewer),
             _ => Err("Unrecognized UserRole".into()),
         }
     }
@@ -551,9 +556,8 @@ impl FromSql<sql_types::UserOrganizationRoleEnum, Pg> for UserOrganizationRole {
 impl ToSql<sql_types::TeamRoleEnum, Pg> for TeamToUserRole {
     fn to_sql<'b>(&'b self, out: &mut Output<'b, '_, Pg>) -> serialize::Result {
         match *self {
-            TeamToUserRole::Owner => out.write_all(b"owner")?,
+            TeamToUserRole::Manager => out.write_all(b"manager")?,
             TeamToUserRole::Member => out.write_all(b"member")?,
-            TeamToUserRole::Admin => out.write_all(b"admin")?,
         }
         Ok(IsNull::No)
     }
@@ -562,9 +566,8 @@ impl ToSql<sql_types::TeamRoleEnum, Pg> for TeamToUserRole {
 impl FromSql<sql_types::TeamRoleEnum, Pg> for TeamToUserRole {
     fn from_sql(bytes: PgValue<'_>) -> deserialize::Result<Self> {
         match bytes.as_bytes() {
-            b"owner" => Ok(TeamToUserRole::Owner),
+            b"manager" => Ok(TeamToUserRole::Manager),
             b"member" => Ok(TeamToUserRole::Member),
-            b"admin" => Ok(TeamToUserRole::Admin),
             _ => Err("Unrecognized UserRole".into()),
         }
     }

api/src/database/schema.rs

@@ -41,6 +41,10 @@ pub mod sql_types {
     #[diesel(postgres_type(name = "user_organization_role_enum"))]
     pub struct UserOrganizationRoleEnum;
 
+    #[derive(diesel::query_builder::QueryId, Clone, diesel::sql_types::SqlType)]
+    #[diesel(postgres_type(name = "user_organization_status_enum"))]
+    pub struct UserOrganizationStatusEnum;
+
     #[derive(diesel::query_builder::QueryId, Clone, diesel::sql_types::SqlType)]
     #[diesel(postgres_type(name = "verification_enum"))]
     pub struct VerificationEnum;
@@ -186,6 +190,28 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    dataset_groups (id) {
+        id -> Uuid,
+        name -> Varchar,
+        created_at -> Timestamptz,
+        updated_at -> Timestamptz,
+        deleted_at -> Nullable<Timestamptz>,
+    }
+}
+
+diesel::table! {
+    dataset_permissions (id) {
+        id -> Uuid,
+        dataset_id -> Uuid,
+        permission_id -> Uuid,
+        permission_type -> Varchar,
+        created_at -> Timestamptz,
+        updated_at -> Timestamptz,
+        deleted_at -> Nullable<Timestamptz>,
+    }
+}
+
 diesel::table! {
     use diesel::sql_types::*;
     use super::sql_types::DatasetTypeEnum;
@@ -213,6 +239,14 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    datasets_to_dataset_groups (dataset_id, dataset_group_id) {
+        dataset_id -> Uuid,
+        dataset_group_id -> Uuid,
+        created_at -> Timestamptz,
+    }
+}
+
 diesel::table! {
     datasets_to_permission_groups (dataset_id, permission_group_id) {
         dataset_id -> Uuid,
@@ -303,6 +337,14 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    permission_groups_to_users (permission_group_id, user_id) {
+        permission_group_id -> Uuid,
+        user_id -> Uuid,
+        created_at -> Timestamptz,
+    }
+}
+
 diesel::table! {
     sql_evaluations (id) {
         id -> Uuid,
@@ -432,6 +474,7 @@ diesel::table! {
     use diesel::sql_types::*;
     use super::sql_types::UserOrganizationRoleEnum;
     use super::sql_types::SharingSettingEnum;
+    use super::sql_types::UserOrganizationStatusEnum;
 
     users_to_organizations (user_id, organization_id) {
         user_id -> Uuid,
@@ -448,6 +491,7 @@ diesel::table! {
         created_by -> Uuid,
         updated_by -> Uuid,
         deleted_by -> Nullable<Uuid>,
+        status -> UserOrganizationStatusEnum,
     }
 }
 
@@ -457,14 +501,19 @@ diesel::joinable!(collections -> organizations (organization_id));
 diesel::joinable!(dashboard_versions -> dashboards (dashboard_id));
 diesel::joinable!(dashboards -> organizations (organization_id));
 diesel::joinable!(data_sources -> organizations (organization_id));
+diesel::joinable!(dataset_permissions -> datasets (dataset_id));
 diesel::joinable!(datasets -> data_sources (data_source_id));
 diesel::joinable!(datasets -> organizations (organization_id));
+diesel::joinable!(datasets_to_dataset_groups -> dataset_groups (dataset_group_id));
+diesel::joinable!(datasets_to_dataset_groups -> datasets (dataset_id));
 diesel::joinable!(datasets_to_permission_groups -> datasets (dataset_id));
 diesel::joinable!(datasets_to_permission_groups -> permission_groups (permission_group_id));
 diesel::joinable!(messages -> datasets (dataset_id));
 diesel::joinable!(messages -> threads (thread_id));
 diesel::joinable!(messages -> users (sent_by));
 diesel::joinable!(permission_groups -> organizations (organization_id));
+diesel::joinable!(permission_groups_to_users -> permission_groups (permission_group_id));
+diesel::joinable!(permission_groups_to_users -> users (user_id));
 diesel::joinable!(teams -> organizations (organization_id));
 diesel::joinable!(teams -> users (created_by));
 diesel::joinable!(teams_to_users -> teams (team_id));
@@ -488,13 +537,17 @@ diesel::allow_tables_to_appear_in_same_query!(
     dashboards,
     data_sources,
     dataset_columns,
+    dataset_groups,
+    dataset_permissions,
     datasets,
+    datasets_to_dataset_groups,
     datasets_to_permission_groups,
     entity_relationship,
     messages,
     organizations,
     permission_groups,
     permission_groups_to_identities,
+    permission_groups_to_users,
     sql_evaluations,
     teams,
     teams_to_users,