The user interface and API endpoints of the E-Commerce Service (Otto) need to be better secured. Presently all LMS staff users have superuser access to Otto. This configuration initially worked well when only engineers needed access to the system. However, as we expand usage of service to other members of the organization—Support, Finance, Program Managers—we must better protect our users' personal information as well as our own financial transaction data.

The roles and permissions implementation should meet the following criteria:

Access to data/views should require specific permissions.
Roles, representing a collection of permissions, should be created for each corresponding organizational role (e.g. Support, Finance, Program Manager).
The assignment of users to roles should be centrally maintained (preferably at an auth server/LMS).
When a user authenticates using OpenID Connect, the authentication server should send the user's list of roles so that appropriate assignments can be made in Otto's database.

XCOM-368

Browser not supported