Move service.datalake.admin group to Admin user role / Lower Storage GET records and DELETE APIs to Admin role
API access level is controlled by different permission groups, the bootstrap of permission groups is explained in this documentation: https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/blob/master/docs/bootstrap/bootstrap-groups-structure.md
Currently, group service.storage.admin is the parent group of group users.datalake.ops. We want to change the permission such that service.storage.admin should be parent group of users.datalake.admins. With this change, the following APIs would be lowered to Admin privilege:
users.datalake.ops (Ops role) is a very high-privileged role given to service accounts only. Previously, there are certain APIs only reserved for this role since we deemed them to be drastic if not done with careful measures. However, per requests from many of our consumers who rightfully want control over their data even in a SaaS offering, we have revisited the permissions. The correct behavior should be allowing these capabilities with admin role, so that admins can query for all records of a kind, and can purge the records for contractual or space reasons. To achieve this, we will move the group service.storage.admin as the parent of admin role group so that users with admin role will have access to above APIs as well.
To de-elevate the permission level of above APIs to ADMIN, we need to move service.storage.admin from the parent of users.datalake.ops to the parent of users.datalake.admins.
After modifying bootstrap process moving service.storage.admin as the parent of users.datalke.admins, when setting up new data partition, above APIs will automatically de-elevate to ADMIN privilege. We also need to migrate existing data partition's group structure to cover such changes.