From 53baf4eb787d2626f27dac76291013ebe9dd5be2 Mon Sep 17 00:00:00 2001
From: Gary Sharp <garypsharp@hotmail.com>
Date: Sat, 13 Jan 2024 16:56:23 +1100
Subject: [PATCH] #138 device flag authorization claims

---
 Disco.Services/Authorization/Claims.cs        | 86 ++++++++++++++++++-
 Disco.Services/Authorization/Claims.tt        |  3 -
 .../ClaimGroups/Configuration/ConfigClaims.cs |  3 +
 .../DeviceFlag/DeviceFlagClaims.cs            | 20 +++++
 .../ClaimGroups/Device/DeviceActionsClaims.cs |  6 ++
 .../Roles/ClaimGroups/Device/DeviceClaims.cs  |  3 +-
 6 files changed, 113 insertions(+), 8 deletions(-)
 create mode 100644 Disco.Services/Authorization/Roles/ClaimGroups/Configuration/DeviceFlag/DeviceFlagClaims.cs

diff --git a/Disco.Services/Authorization/Claims.cs b/Disco.Services/Authorization/Claims.cs
index 6452cdf1..ee8016ab 100644
--- a/Disco.Services/Authorization/Claims.cs
+++ b/Disco.Services/Authorization/Claims.cs
@@ -1,7 +1,4 @@
-
-
-
-// <auto-generated />
+// <auto-generated />
 // This file was generated by a T4 template.
 // Don't change it directly as your change would get overwritten.  Instead, make changes
 // to the .tt file (i.e. the T4 template) and save it to regenerate this file.
@@ -34,6 +31,11 @@ namespace Disco.Services.Authorization
 				{ "Config.DeviceBatch.Delete", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceBatch.Delete, (c, v) => c.Config.DeviceBatch.Delete = v, "Delete Device Batches", "Can delete device batches", false) },
 				{ "Config.DeviceBatch.Show", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceBatch.Show, (c, v) => c.Config.DeviceBatch.Show = v, "Show Device Batches", "Can show device batches", false) },
 				{ "Config.DeviceBatch.ShowTimeline", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceBatch.ShowTimeline, (c, v) => c.Config.DeviceBatch.ShowTimeline = v, "Show Timeline", "Can show device batch timeline", false) },
+				{ "Config.DeviceFlag.Configure", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceFlag.Configure, (c, v) => c.Config.DeviceFlag.Configure = v, "Configure Device Flags", "Can configure device flags", false) },
+				{ "Config.DeviceFlag.Create", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceFlag.Create, (c, v) => c.Config.DeviceFlag.Create = v, "Create Device Flags", "Can create device flags", false) },
+				{ "Config.DeviceFlag.Delete", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceFlag.Delete, (c, v) => c.Config.DeviceFlag.Delete = v, "Delete Device Flags", "Can delete device flags", false) },
+				{ "Config.DeviceFlag.Export", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceFlag.Export, (c, v) => c.Config.DeviceFlag.Export = v, "Export Device Flag Assignments", "Can export user device assignments", false) },
+				{ "Config.DeviceFlag.Show", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceFlag.Show, (c, v) => c.Config.DeviceFlag.Show = v, "Show Device Flags", "Can show device flags", false) },
 				{ "Config.DeviceModel.ConfigureComponents", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceModel.ConfigureComponents, (c, v) => c.Config.DeviceModel.ConfigureComponents = v, "Configure Device Model Components", "Can configure device model components", false) },
 				{ "Config.DeviceModel.Configure", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceModel.Configure, (c, v) => c.Config.DeviceModel.Configure = v, "Configure Device Models", "Can configure device models", false) },
 				{ "Config.DeviceModel.Delete", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceModel.Delete, (c, v) => c.Config.DeviceModel.Delete = v, "Delete Device Models", "Can delete device models", false) },
@@ -186,22 +188,26 @@ namespace Disco.Services.Authorization
 				{ "Device.Properties.DeviceProfile", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Properties.DeviceProfile, (c, v) => c.Device.Properties.DeviceProfile = v, "Device Profile Property", "Can update property", false) },
 				{ "Device.Properties.Location", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Properties.Location, (c, v) => c.Device.Properties.Location = v, "Location Property", "Can update property", false) },
 				{ "Device.Actions.AddAttachments", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.AddAttachments, (c, v) => c.Device.Actions.AddAttachments = v, "Add Attachments", "Can add attachments to devices", false) },
+				{ "Device.Actions.AddFlags", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.AddFlags, (c, v) => c.Device.Actions.AddFlags = v, "Add Device Flags", "Can add device flags", false) },
 				{ "Device.Actions.AllowUnauthenticatedEnrol", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.AllowUnauthenticatedEnrol, (c, v) => c.Device.Actions.AllowUnauthenticatedEnrol = v, "Allow Unauthenticated Enrol", "Can allow devices to enrol without authentication", false) },
 				{ "Device.Actions.AssignUser", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.AssignUser, (c, v) => c.Device.Actions.AssignUser = v, "Assign User", "Can update the user assignment of devices", false) },
 				{ "Device.Actions.Decommission", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.Decommission, (c, v) => c.Device.Actions.Decommission = v, "Decommission", "Can decommission devices", false) },
 				{ "Device.Actions.Delete", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.Delete, (c, v) => c.Device.Actions.Delete = v, "Delete", "Can delete devices", false) },
+				{ "Device.Actions.EditFlags", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.EditFlags, (c, v) => c.Device.Actions.EditFlags = v, "Edit Device Flags", "Can edit device flags", false) },
 				{ "Device.Actions.EnrolDevices", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.EnrolDevices, (c, v) => c.Device.Actions.EnrolDevices = v, "Enrol Devices", "Can add devices offline and enrol devices with the Bootstrapper", false) },
 				{ "Device.Actions.Export", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.Export, (c, v) => c.Device.Actions.Export = v, "Export Devices", "Can export devices in a bulk format", false) },
 				{ "Device.Actions.GenerateDocuments", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.GenerateDocuments, (c, v) => c.Device.Actions.GenerateDocuments = v, "Generate Documents", "Can generate documents for jobs", false) },
 				{ "Device.Actions.Import", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.Import, (c, v) => c.Device.Actions.Import = v, "Import Devices", "Can bulk import devices", false) },
 				{ "Device.Actions.Recommission", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.Recommission, (c, v) => c.Device.Actions.Recommission = v, "Recommission", "Can recommission devices", false) },
 				{ "Device.Actions.RemoveAnyAttachments", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.RemoveAnyAttachments, (c, v) => c.Device.Actions.RemoveAnyAttachments = v, "Remove Any Attachments", "Can remove any attachments from devices", false) },
+				{ "Device.Actions.RemoveFlags", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.RemoveFlags, (c, v) => c.Device.Actions.RemoveFlags = v, "Remove Device Flags", "Can remove device flags", false) },
 				{ "Device.Actions.RemoveOwnAttachments", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Actions.RemoveOwnAttachments, (c, v) => c.Device.Actions.RemoveOwnAttachments = v, "Remove Own Attachments", "Can remove own attachments from devices", false) },
 				{ "Device.Search", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Search, (c, v) => c.Device.Search = v, "Search Devices", "Can search devices", false) },
 				{ "Device.ShowAssignmentHistory", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.ShowAssignmentHistory, (c, v) => c.Device.ShowAssignmentHistory = v, "Show Assignment History", "Can show the assignment history for devices", false) },
 				{ "Device.ShowAttachments", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.ShowAttachments, (c, v) => c.Device.ShowAttachments = v, "Show Attachments", "Can show device attachments", false) },
 				{ "Device.ShowCertificates", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.ShowCertificates, (c, v) => c.Device.ShowCertificates = v, "Show Certificates", "Can show certificates associated with devices", false) },
 				{ "Device.ShowDetails", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.ShowDetails, (c, v) => c.Device.ShowDetails = v, "Show Details", "Can show details associated with devices", false) },
+				{ "Device.ShowFlagAssignments", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.ShowFlagAssignments, (c, v) => c.Device.ShowFlagAssignments = v, "Show Device Flag Assignments", "Can show flags associated with devices", false) },
 				{ "Device.Show", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.Show, (c, v) => c.Device.Show = v, "Show Devices", "Can show devices", false) },
 				{ "Device.ShowJobs", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Device.ShowJobs, (c, v) => c.Device.ShowJobs = v, "Show Devices Jobs", "Can show jobs associated with devices", false) },
 				{ "User.Actions.AddAttachments", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.User.Actions.AddAttachments, (c, v) => c.User.Actions.AddAttachments = v, "Add Attachments", "Can add attachments to users", false) },
@@ -239,6 +245,13 @@ namespace Disco.Services.Authorization
 				        new ClaimNavigatorItem("Config.DeviceCertificate", "Device Certificates", "Permissions related to Device Certificates", false, new List<IClaimNavigatorItem>() {
 				            new ClaimNavigatorItem("Config.DeviceCertificate.DownloadCertificates", false)
 				        }),
+				        new ClaimNavigatorItem("Config.DeviceFlag", "Device Flags", "Permissions related to Device Flags", false, new List<IClaimNavigatorItem>() {
+				            new ClaimNavigatorItem("Config.DeviceFlag.Configure", false),
+				            new ClaimNavigatorItem("Config.DeviceFlag.Create", false),
+				            new ClaimNavigatorItem("Config.DeviceFlag.Delete", false),
+				            new ClaimNavigatorItem("Config.DeviceFlag.Export", false),
+				            new ClaimNavigatorItem("Config.DeviceFlag.Show", false)
+				        }),
 				        new ClaimNavigatorItem("Config.DeviceModel", "Device Models", "Permissions related to Device Models", false, new List<IClaimNavigatorItem>() {
 				            new ClaimNavigatorItem("Config.DeviceModel.ConfigureComponents", false),
 				            new ClaimNavigatorItem("Config.DeviceModel.Configure", false),
@@ -431,16 +444,19 @@ namespace Disco.Services.Authorization
 				    new ClaimNavigatorItem("Device", "Device", "Permissions related to Devices", false, new List<IClaimNavigatorItem>() {
 				        new ClaimNavigatorItem("Device.Actions", "Actions", "Permissions related to Device Actions", false, new List<IClaimNavigatorItem>() {
 				            new ClaimNavigatorItem("Device.Actions.AddAttachments", false),
+				            new ClaimNavigatorItem("Device.Actions.AddFlags", false),
 				            new ClaimNavigatorItem("Device.Actions.AllowUnauthenticatedEnrol", false),
 				            new ClaimNavigatorItem("Device.Actions.AssignUser", false),
 				            new ClaimNavigatorItem("Device.Actions.Decommission", false),
 				            new ClaimNavigatorItem("Device.Actions.Delete", false),
+				            new ClaimNavigatorItem("Device.Actions.EditFlags", false),
 				            new ClaimNavigatorItem("Device.Actions.EnrolDevices", false),
 				            new ClaimNavigatorItem("Device.Actions.Export", false),
 				            new ClaimNavigatorItem("Device.Actions.GenerateDocuments", false),
 				            new ClaimNavigatorItem("Device.Actions.Import", false),
 				            new ClaimNavigatorItem("Device.Actions.Recommission", false),
 				            new ClaimNavigatorItem("Device.Actions.RemoveAnyAttachments", false),
+				            new ClaimNavigatorItem("Device.Actions.RemoveFlags", false),
 				            new ClaimNavigatorItem("Device.Actions.RemoveOwnAttachments", false)
 				        }),
 				        new ClaimNavigatorItem("Device.Properties", "Device Properties", "Permissions related to Device Properties", false, new List<IClaimNavigatorItem>() {
@@ -455,6 +471,7 @@ namespace Disco.Services.Authorization
 				        new ClaimNavigatorItem("Device.ShowAttachments", false),
 				        new ClaimNavigatorItem("Device.ShowCertificates", false),
 				        new ClaimNavigatorItem("Device.ShowDetails", false),
+				        new ClaimNavigatorItem("Device.ShowFlagAssignments", false),
 				        new ClaimNavigatorItem("Device.Show", false),
 				        new ClaimNavigatorItem("Device.ShowJobs", false)
 				    }),
@@ -552,6 +569,11 @@ namespace Disco.Services.Authorization
 			c.Config.DeviceBatch.Delete = true;
 			c.Config.DeviceBatch.Show = true;
 			c.Config.DeviceBatch.ShowTimeline = true;
+			c.Config.DeviceFlag.Configure = true;
+			c.Config.DeviceFlag.Create = true;
+			c.Config.DeviceFlag.Delete = true;
+			c.Config.DeviceFlag.Export = true;
+			c.Config.DeviceFlag.Show = true;
 			c.Config.DeviceModel.ConfigureComponents = true;
 			c.Config.DeviceModel.Configure = true;
 			c.Config.DeviceModel.Delete = true;
@@ -704,22 +726,26 @@ namespace Disco.Services.Authorization
 			c.Device.Properties.DeviceProfile = true;
 			c.Device.Properties.Location = true;
 			c.Device.Actions.AddAttachments = true;
+			c.Device.Actions.AddFlags = true;
 			c.Device.Actions.AllowUnauthenticatedEnrol = true;
 			c.Device.Actions.AssignUser = true;
 			c.Device.Actions.Decommission = true;
 			c.Device.Actions.Delete = true;
+			c.Device.Actions.EditFlags = true;
 			c.Device.Actions.EnrolDevices = true;
 			c.Device.Actions.Export = true;
 			c.Device.Actions.GenerateDocuments = true;
 			c.Device.Actions.Import = true;
 			c.Device.Actions.Recommission = true;
 			c.Device.Actions.RemoveAnyAttachments = true;
+			c.Device.Actions.RemoveFlags = true;
 			c.Device.Actions.RemoveOwnAttachments = true;
 			c.Device.Search = true;
 			c.Device.ShowAssignmentHistory = true;
 			c.Device.ShowAttachments = true;
 			c.Device.ShowCertificates = true;
 			c.Device.ShowDetails = true;
+			c.Device.ShowFlagAssignments = true;
 			c.Device.Show = true;
 			c.Device.ShowJobs = true;
 			c.User.Actions.AddAttachments = true;
@@ -828,6 +854,38 @@ namespace Disco.Services.Authorization
                 public const string ShowTimeline = "Config.DeviceBatch.ShowTimeline";
             }
 
+            /// <summary>Device Flags
+            /// <para>Permissions related to Device Flags</para>
+            /// </summary>
+            public static class DeviceFlag
+            {
+
+                /// <summary>Configure Device Flags
+                /// <para>Can configure device flags</para>
+                /// </summary>
+                public const string Configure = "Config.DeviceFlag.Configure";
+
+                /// <summary>Create Device Flags
+                /// <para>Can create device flags</para>
+                /// </summary>
+                public const string Create = "Config.DeviceFlag.Create";
+
+                /// <summary>Delete Device Flags
+                /// <para>Can delete device flags</para>
+                /// </summary>
+                public const string Delete = "Config.DeviceFlag.Delete";
+
+                /// <summary>Export Device Flag Assignments
+                /// <para>Can export user device assignments</para>
+                /// </summary>
+                public const string Export = "Config.DeviceFlag.Export";
+
+                /// <summary>Show Device Flags
+                /// <para>Can show device flags</para>
+                /// </summary>
+                public const string Show = "Config.DeviceFlag.Show";
+            }
+
             /// <summary>Device Models
             /// <para>Permissions related to Device Models</para>
             /// </summary>
@@ -1734,6 +1792,11 @@ namespace Disco.Services.Authorization
                 /// </summary>
                 public const string AddAttachments = "Device.Actions.AddAttachments";
 
+                /// <summary>Add Device Flags
+                /// <para>Can add device flags</para>
+                /// </summary>
+                public const string AddFlags = "Device.Actions.AddFlags";
+
                 /// <summary>Allow Unauthenticated Enrol
                 /// <para>Can allow devices to enrol without authentication</para>
                 /// </summary>
@@ -1754,6 +1817,11 @@ namespace Disco.Services.Authorization
                 /// </summary>
                 public const string Delete = "Device.Actions.Delete";
 
+                /// <summary>Edit Device Flags
+                /// <para>Can edit device flags</para>
+                /// </summary>
+                public const string EditFlags = "Device.Actions.EditFlags";
+
                 /// <summary>Enrol Devices
                 /// <para>Can add devices offline and enrol devices with the Bootstrapper</para>
                 /// </summary>
@@ -1784,6 +1852,11 @@ namespace Disco.Services.Authorization
                 /// </summary>
                 public const string RemoveAnyAttachments = "Device.Actions.RemoveAnyAttachments";
 
+                /// <summary>Remove Device Flags
+                /// <para>Can remove device flags</para>
+                /// </summary>
+                public const string RemoveFlags = "Device.Actions.RemoveFlags";
+
                 /// <summary>Remove Own Attachments
                 /// <para>Can remove own attachments from devices</para>
                 /// </summary>
@@ -1815,6 +1888,11 @@ namespace Disco.Services.Authorization
             /// </summary>
             public const string ShowDetails = "Device.ShowDetails";
 
+            /// <summary>Show Device Flag Assignments
+            /// <para>Can show flags associated with devices</para>
+            /// </summary>
+            public const string ShowFlagAssignments = "Device.ShowFlagAssignments";
+
             /// <summary>Show Devices
             /// <para>Can show devices</para>
             /// </summary>
diff --git a/Disco.Services/Authorization/Claims.tt b/Disco.Services/Authorization/Claims.tt
index ccac7a8d..9278294f 100644
--- a/Disco.Services/Authorization/Claims.tt
+++ b/Disco.Services/Authorization/Claims.tt
@@ -20,9 +20,6 @@
 <#@ import namespace="System.Runtime.InteropServices.CustomMarshalers" #>
 <#@ import namespace="System.Runtime.InteropServices" #>
 <#@ import namespace="System.Reflection" #>
-
-
-
 <#
    // Get the DTE service from the host
     EnvDTE.DTE Dte = null;
diff --git a/Disco.Services/Authorization/Roles/ClaimGroups/Configuration/ConfigClaims.cs b/Disco.Services/Authorization/Roles/ClaimGroups/Configuration/ConfigClaims.cs
index 6b2ac54e..75e44c02 100644
--- a/Disco.Services/Authorization/Roles/ClaimGroups/Configuration/ConfigClaims.cs
+++ b/Disco.Services/Authorization/Roles/ClaimGroups/Configuration/ConfigClaims.cs
@@ -22,6 +22,7 @@ namespace Disco.Services.Authorization.Roles.ClaimGroups.Configuration
             DeviceCertificate = new DeviceCertificateClaims();
             Enrolment = new EnrolmentClaims();
             DeviceBatch = new DeviceBatchClaims();
+            DeviceFlag = new DeviceFlagClaims();
             DeviceModel = new DeviceModelClaims();
             DeviceProfile = new DeviceProfileClaims();
             DocumentTemplate = new DocumentTemplateClaims();
@@ -43,6 +44,8 @@ namespace Disco.Services.Authorization.Roles.ClaimGroups.Configuration
 
         public DeviceBatchClaims DeviceBatch { get; set; }
 
+        public DeviceFlagClaims DeviceFlag { get; set; }
+
         public DeviceModelClaims DeviceModel { get; set; }
 
         public DeviceProfileClaims DeviceProfile { get; set; }
diff --git a/Disco.Services/Authorization/Roles/ClaimGroups/Configuration/DeviceFlag/DeviceFlagClaims.cs b/Disco.Services/Authorization/Roles/ClaimGroups/Configuration/DeviceFlag/DeviceFlagClaims.cs
new file mode 100644
index 00000000..003ecef6
--- /dev/null
+++ b/Disco.Services/Authorization/Roles/ClaimGroups/Configuration/DeviceFlag/DeviceFlagClaims.cs
@@ -0,0 +1,20 @@
+namespace Disco.Services.Authorization.Roles.ClaimGroups.Configuration.UserFlag
+{
+    [ClaimDetails("Device Flags", "Permissions related to Device Flags")]
+    public class DeviceFlagClaims : BaseRoleClaimGroup
+    {
+        [ClaimDetails("Configure Device Flags", "Can configure device flags")]
+        public bool Configure { get; set; }
+
+        [ClaimDetails("Create Device Flags", "Can create device flags")]
+        public bool Create { get; set; }
+
+        [ClaimDetails("Delete Device Flags", "Can delete device flags")]
+        public bool Delete { get; set; }
+        [ClaimDetails("Export Device Flag Assignments", "Can export user device assignments")]
+        public bool Export { get; set; }
+
+        [ClaimDetails("Show Device Flags", "Can show device flags")]
+        public bool Show { get; set; }
+    }
+}
diff --git a/Disco.Services/Authorization/Roles/ClaimGroups/Device/DeviceActionsClaims.cs b/Disco.Services/Authorization/Roles/ClaimGroups/Device/DeviceActionsClaims.cs
index 1df4f3a3..33c9995c 100644
--- a/Disco.Services/Authorization/Roles/ClaimGroups/Device/DeviceActionsClaims.cs
+++ b/Disco.Services/Authorization/Roles/ClaimGroups/Device/DeviceActionsClaims.cs
@@ -25,6 +25,12 @@
 
         [ClaimDetails("Generate Documents", "Can generate documents for jobs")]
         public bool GenerateDocuments { get; set; }
+        [ClaimDetails("Add Device Flags", "Can add device flags")]
+        public bool AddFlags { get; set; }
+        [ClaimDetails("Remove Device Flags", "Can remove device flags")]
+        public bool RemoveFlags { get; set; }
+        [ClaimDetails("Edit Device Flags", "Can edit device flags")]
+        public bool EditFlags { get; set; }
 
         [ClaimDetails("Enrol Devices", "Can add devices offline and enrol devices with the Bootstrapper")]
         public bool EnrolDevices { get; set; }
diff --git a/Disco.Services/Authorization/Roles/ClaimGroups/Device/DeviceClaims.cs b/Disco.Services/Authorization/Roles/ClaimGroups/Device/DeviceClaims.cs
index 895ad90f..192440fa 100644
--- a/Disco.Services/Authorization/Roles/ClaimGroups/Device/DeviceClaims.cs
+++ b/Disco.Services/Authorization/Roles/ClaimGroups/Device/DeviceClaims.cs
@@ -25,7 +25,8 @@
         public bool ShowJobs { get; set; }
         [ClaimDetails("Show Assignment History", "Can show the assignment history for devices")]
         public bool ShowAssignmentHistory { get; set; }
-
+        [ClaimDetails("Show Device Flag Assignments", "Can show flags associated with devices")]
+        public bool ShowFlagAssignments { get; set; }
 
         public DevicePropertiesClaims Properties { get; set; }