[katello-devel] Updated Permission matrix

Lukas Zapletal lzap at redhat.com
Wed Jul 20 08:48:36 UTC 2011 

On 07/19/2011 03:22 PM, Justin Sherrill wrote:
> I think this is ok, the only tricky thing is the UI.  We have to be able
> to show a list of organizations a user can log in as.  To get this list
> we would have to go through all a users roles and permissions and detect
> which organization each resource type is and determine what org it is.

Well true. But we would need to do it in any case if we want to support 
giving permissions to organizations.

In addition to that I expect we will need to do it this way for every 
list of objects users are assigned permissions to (e.g. products, 
environments etc).

There is no such support in the RBAC yet. We need a method "return me 
all the permissions of this resource type for this particular 
role/user/all_his_roles".

Bryan, what the requirements are in this case? Can you throw-in your 
comments?

> We also need to consider this in the permissions matrix.  Things like
> "provider create" need an organization associated with them (which is a
> deficiency regardless).

Once the "default working organization" is set in the page header the UI 
can use it. (I mean the "organization switcher" - not sure about the 
component name.) My assumption is once you change the organization here 
you only see objects that belong to the organization (and nothing else). 
Is it feasible to use this reference then?

> We would also need to modify some of the items such as "Can See list of
> providers"  to something like:
>
> (read, providers, any Provider X in org Y), (update, providers, any
> Provider X in org Y), or (create, providers, Org Y).
>
> This makes it a bit tricky for the UI, because we have to separate out
> read/update  from create and show to the user provider tags for
> read/update and organization tags for create.  There's nothing really in
> the data layer to tell us this currently.
>
> Thoughts ?

I don't get why would you need that. There is provider-organization 
relationship, is it? And you can find user's permission on the 
organization. Please elaborate for me ;-)

Please dont take it I am saing "no org-user relationships at all". 
Frankly I was an advocate of it, until Bryan put me on the permissions 
path. Now I am in doubt again.    d=]

-- 
Later,

  Lukas Zapletal | E32E400A
  RHN Satellite Engineering
  Red Hat Czech s.r.o. Brno

More information about the katello-devel mailing list