Deprecate user-level permissions

[rolodato]

Is your feature request related to a problem? Please describe.

In 2.137.0, we deprecated group-level permissions for several reasons, which are described here: https://docs.flagsmith.com/system-administration/rbac#deprecated-features

For the same reasons, we should also deprecate user-level permissions. This is especially important now since tag-level permissions can only be applied to roles and not users. For example, user-level permissions look like this:

whereas editing role permissions offers more options:

Describe the solution you'd like.

Deprecate user-level permissions, add warnings in the UI when using them, and make them less prominent than role-level permissions.

Describe alternatives you've considered

🤷

Additional context

No response

[matthewelwell]

I think this needs discussions. I'm not currently convinced that deprecating user level permissions is the right idea. Perhaps we can encourage people to use roles, but I'm not sure we'd want to completely deprecate user level permissions.

[rolodato]

The only benefit I can see for having user-level permissions is that it's easier to do ad-hoc/one-off permissions. This is also the thing that makes these permissions difficult to audit, since there's no single place to see which users have ad-hoc permissions outside of roles.

We could add more tooling to improve this situation like a detailed permissions debugger, or a single place to see all user-specific permissions, but this seems like effort that we could avoid by removing user-level permissions.

Roles also centralise the audit history for permissions, since you can (with some effort today, but definitely improvable) look at the history of what changed over time. With user-level permissions this is basically impossible or requires lots of tooling for it to be feasible.

IMO, being able to regularly review and baseline permissions is necessary for any enterprise-ready access control system. If you have 100+ users, and you need to audit every single user's permissions, that is too much effort and it does not scale.