microsoft
diff --git a/‎CHANGELOG.md
+1 b/‎CHANGELOG.md
+1
diff --git a/‎api_app/_version.py
+1-1 b/‎api_app/_version.py
+1-1
diff --git a/‎api_app/api/routes/api.py
+5-1 b/‎api_app/api/routes/api.py
+5-1
diff --git a/‎api_app/api/routes/workspace_users.py
+57 b/‎api_app/api/routes/workspace_users.py
+57
diff --git a/‎api_app/api/routes/workspaces.py
-9 b/‎api_app/api/routes/workspaces.py
-9
diff --git a/‎api_app/core/config.py
+3-1 b/‎api_app/core/config.py
+3-1
diff --git a/‎api_app/models/domain/authentication.py
-2 b/‎api_app/models/domain/authentication.py
-2
diff --git a/‎api_app/models/domain/workspace_users.py
+36 b/‎api_app/models/domain/workspace_users.py
+36
diff --git a/‎api_app/models/schemas/roles.py
+7 b/‎api_app/models/schemas/roles.py
+7
diff --git a/‎api_app/models/schemas/users.py
+31-8 b/‎api_app/models/schemas/users.py
+31-8
diff --git a/‎api_app/models/schemas/workspace_users.py
+15 b/‎api_app/models/schemas/workspace_users.py
+15
diff --git a/‎api_app/resources/strings.py
+7 b/‎api_app/resources/strings.py
+7
@@ -3,6 +3,7 @@
 **BREAKING CHANGES & MIGRATIONS**:
 
 ENHANCEMENTS:
+* Added ability to manage user workspace roles from the UI (only visible if feature is enabled with the `user_management_enabled` flag, user is a TREAdmin, the workspace has Entra ID (AAD) Groups enabled and workspace version is > 2.2.0 ) [#4337](https://github.com/microsoft/AzureTRE/issues/4337)
 * Add 7 day retention on workspace storage accounts. ([#4389](https://github.com/microsoft/AzureTRE/issues/4389))
 * Enabled Structured Azure Firewall logs for TRE firewall. [#4430](https://github.com/microsoft/AzureTRE/issues/4430)
 * Deny public access to TRE management storage account, and add private endpoint for TRE core [#4353](https://github.com/microsoft/AzureTRE/issues/4353)
 
@@ -1 +1 @@
-__version__ = "0.21.1"
+__version__ = "0.23.0"
@@ -8,7 +8,7 @@
 from api.helpers import get_repository
 from db.repositories.workspaces import WorkspaceRepository
 from api.routes import health, ping, workspaces, workspace_templates, workspace_service_templates, user_resource_templates, \
-    shared_services, shared_service_templates, migrations, costs, airlock, operations, metadata, requests
+    shared_services, shared_service_templates, migrations, costs, airlock, operations, metadata, requests, workspace_users
 from core import config
 from resources import strings
 
@@ -50,6 +50,10 @@
 core_router.include_router(costs.costs_core_router, tags=["costs"])
 core_router.include_router(costs.costs_workspace_router, tags=["costs"])
 core_router.include_router(requests.router, tags=["requests"])
+core_router.include_router(workspace_users.workspaces_users_shared_router, tags=["users"])
+
+if config.USER_MANAGEMENT_ENABLED:
+    core_router.include_router(workspace_users.workspaces_users_admin_router, tags=["users"])
 
 core_swagger_router = APIRouter()
 swagger_disabled_router = APIRouter()
 
@@ -0,0 +1,57 @@
+from fastapi import APIRouter, Depends, Response, status
+from api.dependencies.workspaces import get_workspace_by_id_from_path
+from models.schemas.workspace_users import UserRoleAssignmentRequest
+from resources import strings
+from services.authentication import get_access_service
+from models.schemas.users import UsersInResponse, AssignableUsersInResponse, WorkspaceUserOperationResponse
+from models.schemas.roles import RolesInResponse
+from services.authentication import get_current_admin_user, get_current_workspace_owner_or_researcher_user_or_airlock_manager_or_tre_admin
+
+workspaces_users_admin_router = APIRouter(dependencies=[Depends(get_current_admin_user)])
+workspaces_users_shared_router = APIRouter(dependencies=[Depends(get_current_workspace_owner_or_researcher_user_or_airlock_manager_or_tre_admin)])
+
+
+@workspaces_users_shared_router.get("/workspaces/{workspace_id}/users", response_model=UsersInResponse, name=strings.API_GET_WORKSPACE_USERS)
+async def get_workspace_users(workspace=Depends(get_workspace_by_id_from_path), access_service=Depends(get_access_service)) -> UsersInResponse:
+    users = access_service.get_workspace_users(workspace)
+    return UsersInResponse(users=users)
+
+
+@workspaces_users_admin_router.get("/workspaces/{workspace_id}/assignable-users", response_model=AssignableUsersInResponse, name=strings.API_GET_ASSIGNABLE_USERS)
+async def get_assignable_users(filter: str = "", maxResultCount: int = 5, access_service=Depends(get_access_service)) -> AssignableUsersInResponse:
+    assignable_users = access_service.get_assignable_users(filter, maxResultCount)
+    return AssignableUsersInResponse(assignable_users=assignable_users)
+
+
+@workspaces_users_admin_router.get("/workspaces/{workspace_id}/roles", response_model=RolesInResponse, name=strings.API_GET_WORKSPACE_ROLES)
+async def get_workspace_roles(workspace=Depends(get_workspace_by_id_from_path), access_service=Depends(get_access_service)) -> RolesInResponse:
+    roles = access_service.get_workspace_roles(workspace)
+    return RolesInResponse(roles=roles)
+
+
+@workspaces_users_admin_router.post("/workspaces/{workspace_id}/users/assign", status_code=status.HTTP_202_ACCEPTED, name=strings.API_ASSIGN_WORKSPACE_USER)
+async def assign_workspace_user(response: Response, userRoleAssignmentRequest: UserRoleAssignmentRequest, workspace=Depends(get_workspace_by_id_from_path), access_service=Depends(get_access_service)) -> WorkspaceUserOperationResponse:
+
+    for user_id in userRoleAssignmentRequest.user_ids:
+        access_service.assign_workspace_user(
+            user_id,
+            workspace,
+            userRoleAssignmentRequest.role_id
+        )
+
+    return WorkspaceUserOperationResponse(user_ids=userRoleAssignmentRequest.user_ids, role_id=userRoleAssignmentRequest.role_id)
+
+
+@workspaces_users_admin_router.delete("/workspaces/{workspace_id}/users/assign", status_code=status.HTTP_202_ACCEPTED, name=strings.API_REMOVE_WORKSPACE_USER_ASSIGNMENT)
+async def remove_workspace_user_assignment(user_id: str,
+                                           role_id: str,
+                                           workspace=Depends(get_workspace_by_id_from_path),
+                                           access_service=Depends(get_access_service)) -> WorkspaceUserOperationResponse:
+
+    access_service.remove_workspace_role_user_assignment(
+        user_id,
+        role_id,
+        workspace
+    )
+
+    return WorkspaceUserOperationResponse(user_ids=[user_id], role_id=role_id)
@@ -21,7 +21,6 @@
 from models.schemas.workspace_service import WorkspaceServiceInCreate, WorkspaceServicesInList, WorkspaceServiceInResponse
 from models.schemas.resource import ResourceHistoryInList, ResourcePatch
 from models.schemas.resource_template import ResourceTemplateInformationInList
-from models.schemas.users import UsersInResponse
 from resources import strings
 from services.access_service import AuthConfigValidationError
 from services.authentication import get_current_admin_user, \
@@ -38,7 +37,6 @@
 from models.domain.request_action import RequestAction
 from services.logging import logger
 
-
 workspaces_core_router = APIRouter(dependencies=[Depends(get_current_tre_user_or_tre_admin)])
 workspaces_shared_router = APIRouter(dependencies=[Depends(get_current_workspace_owner_or_researcher_user_or_airlock_manager_or_tre_admin)])
 workspace_services_workspace_router = APIRouter(dependencies=[Depends(get_current_workspace_owner_or_researcher_user_or_airlock_manager)])
@@ -188,13 +186,6 @@ async def invoke_action_on_workspace(response: Response, action: str, user=Depen
     return OperationInResponse(operation=operation)
 
 
-@workspaces_shared_router.get("/workspaces/{workspace_id}/users", response_model=UsersInResponse, name=strings.API_GET_WORKSPACE_USERS)
-async def get_workspace_users(workspace=Depends(get_workspace_by_id_from_path)) -> UsersInResponse:
-    access_service = get_access_service()
-    users = access_service.get_workspace_users(workspace)
-    return UsersInResponse(users=users)
-
-
 # workspace operations
 # This method only returns templates that the authenticated user is authorized to use
 @workspaces_shared_router.get("/workspaces/{workspace_id}/workspace-service-templates", response_model=ResourceTemplateInformationInList, name=strings.API_GET_WORKSPACE_SERVICE_TEMPLATES_IN_WORKSPACE)
 
@@ -36,7 +36,6 @@
 SUBSCRIPTION_ID: str = config("SUBSCRIPTION_ID", default="")
 RESOURCE_GROUP_NAME: str = config("RESOURCE_GROUP_NAME", default="")
 
-
 # Service bus configuration
 SERVICE_BUS_FULLY_QUALIFIED_NAMESPACE: str = config("SERVICE_BUS_FULLY_QUALIFIED_NAMESPACE", default="")
 SERVICE_BUS_RESOURCE_REQUEST_QUEUE: str = config("SERVICE_BUS_RESOURCE_REQUEST_QUEUE", default="")
@@ -72,3 +71,6 @@
 ENABLE_AIRLOCK_EMAIL_CHECK: bool = config("ENABLE_AIRLOCK_EMAIL_CHECK", cast=bool, default=False)
 
 API_ROOT_SCOPE: str = f"api://{API_CLIENT_ID}/user_impersonation"
+
+# User Management
+USER_MANAGEMENT_ENABLED: bool = config("USER_MANAGEMENT_ENABLED", cast=bool, default=False)
@@ -1,9 +1,7 @@
 from collections import namedtuple
 from typing import List
-
 from pydantic import BaseModel, Field
 
-
 RoleAssignment = namedtuple("RoleAssignment", "resource_id, role_id")
 
 
 
@@ -0,0 +1,36 @@
+from typing import List
+from pydantic import BaseModel, Field
+from enum import Enum
+
+
+class AssignableUser(BaseModel):
+    id: str
+    displayName: str
+    userPrincipalName: str
+    email: str = Field(default=None)
+
+
+class AssignmentType(Enum):
+    APP_ROLE = "ApplicationRole"
+    GROUP = "Group"
+
+
+class Role(BaseModel):
+    id: str
+    displayName: str
+
+    def __eq__(self, other):
+        if not isinstance(other, Role):
+            return False
+        return self.id == other.id
+
+    def __hash__(self):
+        return hash(self.id)
+
+
+class AssignedUser(BaseModel):
+    id: str
+    displayName: str
+    userPrincipalName: str
+    email: str = Field(default=None)
+    roles: List[Role] = Field(default_factory=list)
@@ -0,0 +1,7 @@
+from pydantic import BaseModel, Field
+from typing import List
+from models.domain.workspace_users import Role
+
+
+class RolesInResponse(BaseModel):
+    roles: List[Role] = Field(..., title="Roles", description="List of roles in a workspace")
@@ -1,28 +1,51 @@
 from pydantic import BaseModel, Field
 from typing import List
 
-from models.domain.authentication import User
+from models.domain.workspace_users import AssignedUser, AssignableUser
 
 
 class UsersInResponse(BaseModel):
-    users: List[User] = Field(..., title="Users", description="List of users assigned to the workspace")
+    users: List[AssignedUser] = Field(..., title="Users", description="List of users assigned to the workspace")
 
     class Config:
         schema_extra = {
             "example": {
                 "users": [
                     {
                         "id": 1,
-                        "name": "John Doe",
-                        "email": "[email protected]",
-                        "roles": ["WorkspaceOwner", "WorkspaceResearcher"]
+                        "displayName": "John Doe",
+                        "userPrincipalName": "[email protected]",
+                        "roles": [
+                            {
+                                "id": 1,
+                                "displayName": "WorkspaceOwner"
+                            },
+                            {
+                                "id": 2,
+                                "displayName": "WorkspaceResearcher"
+                            }
+                        ]
                     },
                     {
                         "id": 2,
-                        "name": "Jane Smith",
-                        "email": "[email protected]",
-                        "roles": ["WorkspaceResearcher"]
+                        "displayName": "Jane Smith",
+                        "userPrincipalName": "[email protected]",
+                        "roles": [
+                            {
+                                "id": 2,
+                                "displayName": "WorkspaceResearcher"
+                            }
+                        ]
                     }
                 ]
             }
         }
+
+
+class AssignableUsersInResponse(BaseModel):
+    assignable_users: List[AssignableUser] = Field(..., title="Assignable Users", description="List of users assignable to a workspace")
+
+
+class WorkspaceUserOperationResponse(BaseModel):
+    user_ids: List[str] = Field(..., title="User IDs", description="List of user IDs")
+    role_id: str = Field(..., title="Role ID", description="Role ID")
@@ -0,0 +1,15 @@
+from typing import List
+from pydantic import BaseModel, Field
+
+
+class UserRoleAssignmentRequest(BaseModel):
+    role_id: str = Field(title="Role Id", description="Role to assign users to")
+    user_ids: List[str] = Field(default_factory=list, title="List of User Ids", description="List of User Ids to assign the role to")
+
+    class Config:
+        schema_extra = {
+            "example": {
+                "role_id": "1234",
+                "user_ids": ["1", "2"]
+            }
+        }
@@ -16,6 +16,10 @@
 API_INVOKE_ACTION_ON_WORKSPACE = "Invoke action on a workspace"
 
 API_GET_WORKSPACE_USERS = "Get all users for a workspace"
+API_GET_ASSIGNABLE_USERS = "Get all users assignable to a workspace"
+API_GET_WORKSPACE_ROLES = "Get all the roles belonging to a workspace"
+API_ASSIGN_WORKSPACE_USER = "Assign a user to a workspace role"
+API_REMOVE_WORKSPACE_USER_ASSIGNMENT = "Remove a user from a workspace role"
 
 API_GET_ALL_WORKSPACE_SERVICES = "Get all workspace services for workspace"
 API_GET_WORKSPACE_SERVICE_BY_ID = "Get workspace service by Id"
@@ -256,3 +260,6 @@
 
 # Value that a sensitive is replaced with in Cosmos
 REDACTED_SENSITIVE_VALUE = "REDACTED"
+
+# User Management
+USER_MANAGEMENT_DISABLED = "User management is disabled"
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "0.21.1"`
	`1`	`+__version__ = "0.23.0"`