core: Initial RBAC (#6806)

* rename consent permission Signed-off-by: Jens Langhammer <jens@goauthentik.io> * the user version Signed-off-by: Jens Langhammer <jens@goauthentik.io> t Signed-off-by: Jens Langhammer <jens@goauthentik.io> * initial role Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start form Signed-off-by: Jens Langhammer <jens@goauthentik.io> * some minor table refactoring Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix user, add assign Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add roles ui Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix backend Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add assign API for roles Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start adding toggle buttons Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start view page Signed-off-by: Jens Langhammer <jens@goauthentik.io> * exclude add_ permission for per-object perms Signed-off-by: Jens Langhammer <jens@goauthentik.io> * small cleanup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add permission list for roles Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make sidebar update Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix page header not re-rendering? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fixup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add search Signed-off-by: Jens Langhammer <jens@goauthentik.io> * show first category in table groupBy except when its empty Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make model and object PK optional but required together Signed-off-by: Jens Langhammer <jens@goauthentik.io> * allow for setting global perms Signed-off-by: Jens Langhammer <jens@goauthentik.io> * exclude non-authentik permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * exclude models which aren't allowed (base models etc) Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ensure all models have verbose_name set, exclude some more internal objects Signed-off-by: Jens Langhammer <jens@goauthentik.io> * lint fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix role perm assign Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add unasign for global perms Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add meta changes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * clear modal state after submit Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add roles to our group Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix duplicate url names Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make recursive group query more usable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add name field to role itself and move group creation to signal Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start sync Signed-off-by: Jens Langhammer <jens@goauthentik.io> * move rbac stuff to separate django app Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix lint and such Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix go Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start API changes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more API tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make admin interface not require superuser for now, improve error handling Signed-off-by: Jens Langhammer <jens@goauthentik.io> * replace some IsAdminUser where applicable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * migrate flow inspector perms to actual permission Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix license not being a serializermodel Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add permission modal to models without view page Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add additional permissions to assign/unassign permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add action to unassign user permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add permissions tab to remaining view pages Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix flow inspector permission check Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix codecov config? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more API tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ensure viewsets have an order set Signed-off-by: Jens Langhammer <jens@goauthentik.io> * hopefully the last api name change Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make perm modal less confusing Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start user view permission page Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only make delete bulk form expandable if usedBy is set Signed-off-by: Jens Langhammer <jens@goauthentik.io> * expand permission tables Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add more things Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add user global permission table Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix lint Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests' url names Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add tests for assign perms Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add unassign tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rebuild permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * prevent assigning/unassigning permissions to internal service accounts Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only enable default api browser in debug Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix role object permissions showing duplicate Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix role link on role object permissions table Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix object permission modal having duplicate close buttons Signed-off-by: Jens Langhammer <jens@goauthentik.io> * return error if user has no global perm and no object perms also improve error display on table Signed-off-by: Jens Langhammer <jens@goauthentik.io> * small optimisation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * optimise even more Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add system permission for non-object permissions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * allow access to admin interface based on perm Signed-off-by: Jens Langhammer <jens@goauthentik.io> * clean Signed-off-by: Jens Langhammer <jens@goauthentik.io> * don't exclude base models Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-10-16 17:31:50 +02:00
parent dce913496e
commit e28babb0b8
139 changed files with 6563 additions and 425 deletions
--- a/web/src/elements/rbac/ObjectPermissionModal.ts
+++ b/web/src/elements/rbac/ObjectPermissionModal.ts
@ -0,0 +1,74 @@
+import { AKElement } from "@goauthentik/app/elements/Base";
+import "@goauthentik/elements/forms/ModalForm";
+import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
+import "@goauthentik/elements/rbac/ObjectPermissionsPage";
+
+import { msg } from "@lit/localize";
+import { CSSResult, TemplateResult, html } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+import PFButton from "@patternfly/patternfly/components/Button/button.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
+
+import { RbacPermissionsAssignedByUsersListModelEnum } from "@goauthentik/api";
+
+/**
+ * This is a bit of a hack to get the viewport checking from ModelForm,
+ * even though we actually don't need a form here.
+ * #TODO: Rework this in the future
+ */
+@customElement("ak-rbac-object-permission-modal-form")
+export class ObjectPermissionsPageForm extends ModelForm<unknown, string> {
+    @property()
+    model?: RbacPermissionsAssignedByUsersListModelEnum;
+
+    @property()
+    objectPk?: string | number;
+
+    loadInstance(): Promise<unknown> {
+        return Promise.resolve();
+    }
+    send(): Promise<unknown> {
+        return Promise.resolve();
+    }
+
+    renderForm(): TemplateResult {
+        return html`<ak-rbac-object-permission-page
+            .model=${this.model}
+            .objectPk=${this.objectPk}
+            slot="form"
+        >
+        </ak-rbac-object-permission-page>`;
+    }
+}
+
+@customElement("ak-rbac-object-permission-modal")
+export class ObjectPermissionModal extends AKElement {
+    @property()
+    model?: RbacPermissionsAssignedByUsersListModelEnum;
+
+    @property()
+    objectPk?: string | number;
+
+    static get styles(): CSSResult[] {
+        return [PFBase, PFButton];
+    }
+
+    render(): TemplateResult {
+        return html`
+            <ak-forms-modal .showSubmitButton=${false} cancelText=${msg("Close")}>
+                <span slot="header"> ${msg("Update Permissions")} </span>
+                <ak-rbac-object-permission-modal-form
+                    slot="form"
+                    .model=${this.model}
+                    .objectPk=${this.objectPk}
+                ></ak-rbac-object-permission-modal-form>
+                <button slot="trigger" class="pf-c-button pf-m-plain">
+                    <pf-tooltip position="top" content=${msg("Permissions")}>
+                        <i class="fas fa-lock"></i>
+                    </pf-tooltip>
+                </button>
+            </ak-forms-modal>
+        `;
+    }
+}
--- a/web/src/elements/rbac/ObjectPermissionsPage.ts
+++ b/web/src/elements/rbac/ObjectPermissionsPage.ts
@ -0,0 +1,68 @@
+import { AKElement } from "@goauthentik/app/elements/Base";
+import "@goauthentik/app/elements/rbac/RoleObjectPermissionTable";
+import "@goauthentik/app/elements/rbac/UserObjectPermissionTable";
+import "@goauthentik/elements/Tabs";
+
+import { msg } from "@lit/localize";
+import { CSSResult, TemplateResult, html } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+import PFCard from "@patternfly/patternfly/components/Card/card.css";
+import PFPage from "@patternfly/patternfly/components/Page/page.css";
+import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
+
+import { RbacPermissionsAssignedByUsersListModelEnum } from "@goauthentik/api";
+
+@customElement("ak-rbac-object-permission-page")
+export class ObjectPermissionPage extends AKElement {
+    @property()
+    model?: RbacPermissionsAssignedByUsersListModelEnum;
+
+    @property()
+    objectPk?: string | number;
+
+    static get styles(): CSSResult[] {
+        return [PFBase, PFGrid, PFPage, PFCard];
+    }
+    render(): TemplateResult {
+        return html`<ak-tabs pageIdentifier="permissionPage">
+            <section
+                slot="page-object-user"
+                data-tab-title="${msg("User Object Permissions")}"
+                class="pf-c-page__main-section pf-m-no-padding-mobile"
+            >
+                <div class="pf-l-grid pf-m-gutter">
+                    <div class="pf-c-card pf-l-grid__item pf-m-12-col">
+                        <div class="pf-c-card__title">User Object Permissions</div>
+                        <div class="pf-c-card__body">
+                            <ak-rbac-user-object-permission-table
+                                .model=${this.model}
+                                .objectPk=${this.objectPk}
+                            >
+                            </ak-rbac-user-object-permission-table>
+                        </div>
+                    </div>
+                </div>
+            </section>
+            <section
+                slot="page-object-role"
+                data-tab-title="${msg("Role Object Permissions")}"
+                class="pf-c-page__main-section pf-m-no-padding-mobile"
+            >
+                <div class="pf-l-grid pf-m-gutter">
+                    <div class="pf-c-card pf-l-grid__item pf-m-12-col">
+                        <div class="pf-c-card__title">Role Object Permissions</div>
+                        <div class="pf-c-card__body">
+                            <ak-rbac-role-object-permission-table
+                                .model=${this.model}
+                                .objectPk=${this.objectPk}
+                            >
+                            </ak-rbac-role-object-permission-table>
+                        </div>
+                    </div>
+                </div>
+            </section>
+        </ak-tabs>`;
+    }
+}
--- a/web/src/elements/rbac/PermissionSelectModal.ts
+++ b/web/src/elements/rbac/PermissionSelectModal.ts
@ -0,0 +1,95 @@
+import { groupBy } from "@goauthentik/app/common/utils";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { uiConfig } from "@goauthentik/common/ui/config";
+import "@goauthentik/elements/buttons/SpinnerButton";
+import { PaginatedResponse } from "@goauthentik/elements/table/Table";
+import { TableColumn } from "@goauthentik/elements/table/Table";
+import { TableModal } from "@goauthentik/elements/table/TableModal";
+
+import { msg } from "@lit/localize";
+import { CSSResult, TemplateResult, html } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
+
+import { Permission, RbacApi } from "@goauthentik/api";
+
+@customElement("ak-rbac-permission-select-table")
+export class PermissionSelectModal extends TableModal<Permission> {
+    checkbox = true;
+    checkboxChip = true;
+
+    searchEnabled(): boolean {
+        return true;
+    }
+
+    @property()
+    confirm!: (selectedItems: Permission[]) => Promise<unknown>;
+
+    order = "content_type__app_label,content_type__model";
+
+    static get styles(): CSSResult[] {
+        return super.styles.concat(PFBanner);
+    }
+
+    async apiEndpoint(page: number): Promise<PaginatedResponse<Permission>> {
+        return new RbacApi(DEFAULT_CONFIG).rbacPermissionsList({
+            ordering: this.order,
+            page: page,
+            pageSize: (await uiConfig()).pagination.perPage,
+            search: this.search || "",
+        });
+    }
+
+    groupBy(items: Permission[]): [string, Permission[]][] {
+        return groupBy(items, (perm) => {
+            return perm.appLabelVerbose;
+        });
+    }
+
+    columns(): TableColumn[] {
+        return [new TableColumn(msg("Name"), "codename"), new TableColumn(msg("Model"), "")];
+    }
+
+    row(item: Permission): TemplateResult[] {
+        return [
+            html`<div>
+                <div>${item.name}</div>
+            </div>`,
+            html`${item.modelVerbose}`,
+        ];
+    }
+
+    renderSelectedChip(item: Permission): TemplateResult {
+        return html`${item.name}`;
+    }
+
+    renderModalInner(): TemplateResult {
+        return html`<section class="pf-c-modal-box__header pf-c-page__main-section pf-m-light">
+                <div class="pf-c-content">
+                    <h1 class="pf-c-title pf-m-2xl">${msg("Select permissions to grant")}</h1>
+                </div>
+            </section>
+            <section class="pf-c-modal-box__body pf-m-light">${this.renderTable()}</section>
+            <footer class="pf-c-modal-box__footer">
+                <ak-spinner-button
+                    .callAction=${() => {
+                        return this.confirm(this.selectedElements).then(() => {
+                            this.open = false;
+                        });
+                    }}
+                    class="pf-m-primary"
+                >
+                    ${msg("Add")} </ak-spinner-button
+                >&nbsp;
+                <ak-spinner-button
+                    .callAction=${async () => {
+                        this.open = false;
+                    }}
+                    class="pf-m-secondary"
+                >
+                    ${msg("Cancel")}
+                </ak-spinner-button>
+            </footer>`;
+    }
+}
--- a/web/src/elements/rbac/RoleObjectPermissionForm.ts
+++ b/web/src/elements/rbac/RoleObjectPermissionForm.ts
@ -0,0 +1,107 @@
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import "@goauthentik/components/ak-toggle-group";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
+import "@goauthentik/elements/forms/Radio";
+import "@goauthentik/elements/forms/SearchSelect";
+
+import { msg } from "@lit/localize";
+import { TemplateResult, html } from "lit";
+import { customElement, property, state } from "lit/decorators.js";
+
+import {
+    ModelEnum,
+    PaginatedPermissionList,
+    RbacApi,
+    RbacRolesListRequest,
+    Role,
+} from "@goauthentik/api";
+
+interface RoleAssignData {
+    role: string;
+    permissions: {
+        [key: string]: boolean;
+    };
+}
+
+@customElement("ak-rbac-role-object-permission-form")
+export class RoleObjectPermissionForm extends ModelForm<RoleAssignData, number> {
+    @property()
+    model?: ModelEnum;
+
+    @property()
+    objectPk?: string;
+
+    @state()
+    modelPermissions?: PaginatedPermissionList;
+
+    async load(): Promise<void> {
+        const [appLabel, modelName] = (this.model || "").split(".");
+        this.modelPermissions = await new RbacApi(DEFAULT_CONFIG).rbacPermissionsList({
+            contentTypeModel: modelName,
+            contentTypeAppLabel: appLabel,
+            ordering: "codename",
+        });
+    }
+
+    loadInstance(): Promise<RoleAssignData> {
+        throw new Error("Method not implemented.");
+    }
+
+    getSuccessMessage(): string {
+        return msg("Successfully assigned permission.");
+    }
+
+    send(data: RoleAssignData): Promise<unknown> {
+        return new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesAssignCreate({
+            uuid: data.role,
+            permissionAssignRequest: {
+                permissions: Object.keys(data.permissions).filter((key) => data.permissions[key]),
+                model: this.model!,
+                objectPk: this.objectPk,
+            },
+        });
+    }
+
+    renderForm(): TemplateResult {
+        if (!this.modelPermissions) {
+            return html``;
+        }
+        return html`<form class="pf-c-form pf-m-horizontal">
+            <ak-form-element-horizontal label=${msg("Role")} name="role">
+                <ak-search-select
+                    .fetchObjects=${async (query?: string): Promise<Role[]> => {
+                        const args: RbacRolesListRequest = {
+                            ordering: "name",
+                        };
+                        if (query !== undefined) {
+                            args.search = query;
+                        }
+                        const roles = await new RbacApi(DEFAULT_CONFIG).rbacRolesList(args);
+                        return roles.results;
+                    }}
+                    .renderElement=${(role: Role): string => {
+                        return role.name;
+                    }}
+                    .value=${(role: Role | undefined): string | undefined => {
+                        return role?.pk;
+                    }}
+                >
+                </ak-search-select>
+            </ak-form-element-horizontal>
+            ${this.modelPermissions?.results.map((perm) => {
+                return html` <ak-form-element-horizontal name="permissions.${perm.codename}">
+                    <label class="pf-c-switch">
+                        <input class="pf-c-switch__input" type="checkbox" />
+                        <span class="pf-c-switch__toggle">
+                            <span class="pf-c-switch__toggle-icon">
+                                <i class="fas fa-check" aria-hidden="true"></i>
+                            </span>
+                        </span>
+                        <span class="pf-c-switch__label">${perm.name}</span>
+                    </label>
+                </ak-form-element-horizontal>`;
+            })}
+        </form>`;
+    }
+}
--- a/web/src/elements/rbac/RoleObjectPermissionTable.ts
+++ b/web/src/elements/rbac/RoleObjectPermissionTable.ts
@ -0,0 +1,97 @@
+import { DEFAULT_CONFIG } from "@goauthentik/app/common/api/config";
+import { PaginatedResponse, Table, TableColumn } from "@goauthentik/app/elements/table/Table";
+import "@goauthentik/elements/forms/ModalForm";
+import "@goauthentik/elements/rbac/RoleObjectPermissionForm";
+import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
+
+import { msg } from "@lit/localize";
+import { TemplateResult, html } from "lit";
+import { customElement, property, state } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import {
+    PaginatedPermissionList,
+    RbacApi,
+    RbacPermissionsAssignedByRolesListModelEnum,
+    RoleAssignedObjectPermission,
+} from "@goauthentik/api";
+
+@customElement("ak-rbac-role-object-permission-table")
+export class RoleAssignedObjectPermissionTable extends Table<RoleAssignedObjectPermission> {
+    @property()
+    model?: RbacPermissionsAssignedByRolesListModelEnum;
+
+    @property()
+    objectPk?: string | number;
+
+    @state()
+    modelPermissions?: PaginatedPermissionList;
+
+    async apiEndpoint(page: number): Promise<PaginatedResponse<RoleAssignedObjectPermission>> {
+        const perms = await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesList({
+            page: page,
+            // TODO: better default
+            model: this.model || RbacPermissionsAssignedByRolesListModelEnum.CoreUser,
+            objectPk: this.objectPk?.toString(),
+        });
+        const [appLabel, modelName] = (this.model || "").split(".");
+        const modelPermissions = await new RbacApi(DEFAULT_CONFIG).rbacPermissionsList({
+            contentTypeModel: modelName,
+            contentTypeAppLabel: appLabel,
+            ordering: "codename",
+        });
+        modelPermissions.results = modelPermissions.results.filter((value) => {
+            return !value.codename.startsWith("add_");
+        });
+        this.modelPermissions = modelPermissions;
+        return perms;
+    }
+
+    columns(): TableColumn[] {
+        const baseColumns = [new TableColumn("User", "user")];
+        // We don't check pagination since models shouldn't need to have that many permissions?
+        this.modelPermissions?.results.forEach((perm) => {
+            baseColumns.push(new TableColumn(perm.name, perm.codename));
+        });
+        return baseColumns;
+    }
+
+    renderObjectCreate(): TemplateResult {
+        return html`<ak-forms-modal>
+            <span slot="submit"> ${msg("Assign")} </span>
+            <span slot="header"> ${msg("Assign permission to role")} </span>
+            <ak-rbac-role-object-permission-form
+                model=${ifDefined(this.model)}
+                objectPk=${ifDefined(this.objectPk)}
+                slot="form"
+            >
+            </ak-rbac-role-object-permission-form>
+            <button slot="trigger" class="pf-c-button pf-m-primary">
+                ${msg("Assign to new role")}
+            </button>
+        </ak-forms-modal>`;
+    }
+
+    row(item: RoleAssignedObjectPermission): TemplateResult[] {
+        const baseRow = [html` <a href="#/identity/roles/${item.rolePk}">${item.name}</a>`];
+        this.modelPermissions?.results.forEach((perm) => {
+            const granted =
+                item.permissions.filter((uperm) => uperm.codename === perm.codename).length > 0;
+            baseRow.push(html`
+                <ak-action-button
+                    .apiRequest=${async () => {
+                        console.log(granted);
+                    }}
+                    class="pf-m-link"
+                >
+                    ${granted
+                        ? html`<pf-tooltip position="top" content=${msg("Directly assigned")}
+                              >✓</pf-tooltip
+                          >`
+                        : html`X`}
+                </ak-action-button>
+            `);
+        });
+        return baseRow;
+    }
+}
--- a/web/src/elements/rbac/UserObjectPermissionForm.ts
+++ b/web/src/elements/rbac/UserObjectPermissionForm.ts
@ -0,0 +1,111 @@
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import "@goauthentik/components/ak-toggle-group";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
+import "@goauthentik/elements/forms/Radio";
+import "@goauthentik/elements/forms/SearchSelect";
+
+import { msg } from "@lit/localize";
+import { TemplateResult, html } from "lit";
+import { customElement, property, state } from "lit/decorators.js";
+
+import {
+    CoreApi,
+    CoreUsersListRequest,
+    ModelEnum,
+    PaginatedPermissionList,
+    RbacApi,
+    User,
+} from "@goauthentik/api";
+
+interface UserAssignData {
+    user: number;
+    permissions: {
+        [key: string]: boolean;
+    };
+}
+
+@customElement("ak-rbac-user-object-permission-form")
+export class UserObjectPermissionForm extends ModelForm<UserAssignData, number> {
+    @property()
+    model?: ModelEnum;
+
+    @property()
+    objectPk?: string;
+
+    @state()
+    modelPermissions?: PaginatedPermissionList;
+
+    async load(): Promise<void> {
+        const [appLabel, modelName] = (this.model || "").split(".");
+        this.modelPermissions = await new RbacApi(DEFAULT_CONFIG).rbacPermissionsList({
+            contentTypeModel: modelName,
+            contentTypeAppLabel: appLabel,
+            ordering: "codename",
+        });
+    }
+
+    loadInstance(): Promise<UserAssignData> {
+        throw new Error("Method not implemented.");
+    }
+
+    getSuccessMessage(): string {
+        return msg("Successfully assigned permission.");
+    }
+
+    send(data: UserAssignData): Promise<unknown> {
+        return new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByUsersAssignCreate({
+            id: data.user,
+            permissionAssignRequest: {
+                permissions: Object.keys(data.permissions).filter((key) => data.permissions[key]),
+                model: this.model!,
+                objectPk: this.objectPk!,
+            },
+        });
+    }
+
+    renderForm(): TemplateResult {
+        if (!this.modelPermissions) {
+            return html``;
+        }
+        return html`<form class="pf-c-form pf-m-horizontal">
+            <ak-form-element-horizontal label=${msg("User")} name="user">
+                <ak-search-select
+                    .fetchObjects=${async (query?: string): Promise<User[]> => {
+                        const args: CoreUsersListRequest = {
+                            ordering: "username",
+                        };
+                        if (query !== undefined) {
+                            args.search = query;
+                        }
+                        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(args);
+                        return users.results;
+                    }}
+                    .renderElement=${(user: User): string => {
+                        return user.username;
+                    }}
+                    .renderDescription=${(user: User): TemplateResult => {
+                        return html`${user.name}`;
+                    }}
+                    .value=${(user: User | undefined): number | undefined => {
+                        return user?.pk;
+                    }}
+                >
+                </ak-search-select>
+            </ak-form-element-horizontal>
+            ${this.modelPermissions?.results.map((perm) => {
+                return html` <ak-form-element-horizontal name="permissions.${perm.codename}">
+                    <label class="pf-c-switch">
+                        <input class="pf-c-switch__input" type="checkbox" />
+                        <span class="pf-c-switch__toggle">
+                            <span class="pf-c-switch__toggle-icon">
+                                <i class="fas fa-check" aria-hidden="true"></i>
+                            </span>
+                        </span>
+                        <span class="pf-c-switch__label">${perm.name}</span>
+                    </label>
+                </ak-form-element-horizontal>`;
+            })}
+        </form>`;
+    }
+}
--- a/web/src/elements/rbac/UserObjectPermissionTable.ts
+++ b/web/src/elements/rbac/UserObjectPermissionTable.ts
@ -0,0 +1,90 @@
+import { DEFAULT_CONFIG } from "@goauthentik/app/common/api/config";
+import { PaginatedResponse, Table, TableColumn } from "@goauthentik/app/elements/table/Table";
+import "@goauthentik/elements/forms/ModalForm";
+import "@goauthentik/elements/rbac/UserObjectPermissionForm";
+import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
+
+import { msg } from "@lit/localize";
+import { TemplateResult, html } from "lit";
+import { customElement, property, state } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import {
+    PaginatedPermissionList,
+    RbacApi,
+    RbacPermissionsAssignedByUsersListModelEnum,
+    UserAssignedObjectPermission,
+} from "@goauthentik/api";
+
+@customElement("ak-rbac-user-object-permission-table")
+export class UserAssignedObjectPermissionTable extends Table<UserAssignedObjectPermission> {
+    @property()
+    model?: RbacPermissionsAssignedByUsersListModelEnum;
+
+    @property()
+    objectPk?: string | number;
+
+    @state()
+    modelPermissions?: PaginatedPermissionList;
+
+    async apiEndpoint(page: number): Promise<PaginatedResponse<UserAssignedObjectPermission>> {
+        const perms = await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByUsersList({
+            page: page,
+            // TODO: better default
+            model: this.model || RbacPermissionsAssignedByUsersListModelEnum.CoreUser,
+            objectPk: this.objectPk?.toString(),
+        });
+        const [appLabel, modelName] = (this.model || "").split(".");
+        const modelPermissions = await new RbacApi(DEFAULT_CONFIG).rbacPermissionsList({
+            contentTypeModel: modelName,
+            contentTypeAppLabel: appLabel,
+            ordering: "codename",
+        });
+        modelPermissions.results = modelPermissions.results.filter((value) => {
+            return !value.codename.startsWith("add_");
+        });
+        this.modelPermissions = modelPermissions;
+        return perms;
+    }
+
+    columns(): TableColumn[] {
+        const baseColumns = [new TableColumn("User", "user")];
+        // We don't check pagination since models shouldn't need to have that many permissions?
+        this.modelPermissions?.results.forEach((perm) => {
+            baseColumns.push(new TableColumn(perm.name, perm.codename));
+        });
+        return baseColumns;
+    }
+
+    renderObjectCreate(): TemplateResult {
+        return html`<ak-forms-modal>
+            <span slot="submit"> ${msg("Assign")} </span>
+            <span slot="header"> ${msg("Assign permission to user")} </span>
+            <ak-rbac-user-object-permission-form
+                model=${ifDefined(this.model)}
+                objectPk=${ifDefined(this.objectPk)}
+                slot="form"
+            >
+            </ak-rbac-user-object-permission-form>
+            <button slot="trigger" class="pf-c-button pf-m-primary">
+                ${msg("Assign to new user")}
+            </button>
+        </ak-forms-modal>`;
+    }
+
+    row(item: UserAssignedObjectPermission): TemplateResult[] {
+        const baseRow = [html` <a href="#/identity/users/${item.pk}"> ${item.username} </a> `];
+        this.modelPermissions?.results.forEach((perm) => {
+            let cell = html`X`;
+            if (item.permissions.filter((uperm) => uperm.codename === perm.codename).length > 0) {
+                cell = html`<pf-tooltip position="top" content=${msg("Directly assigned")}
+                    >✓</pf-tooltip
+                >`;
+            } else if (item.isSuperuser) {
+                cell = html`<pf-tooltip position="top" content=${msg("Superuser")}>✓</pf-tooltip>`;
+            }
+            baseRow.push(cell);
+        });
+        return baseRow;
+    }
+}