[katello-devel] Updated Permission matrix
Lukas Zapletal
lzap at redhat.com
Wed Jul 20 08:48:36 UTC 2011
On 07/19/2011 03:22 PM, Justin Sherrill wrote:
> I think this is ok, the only tricky thing is the UI. We have to be able
> to show a list of organizations a user can log in as. To get this list
> we would have to go through all a users roles and permissions and detect
> which organization each resource type is and determine what org it is.
Well true. But we would need to do it in any case if we want to support
giving permissions to organizations.
In addition to that I expect we will need to do it this way for every
list of objects users are assigned permissions to (e.g. products,
environments etc).
There is no such support in the RBAC yet. We need a method "return me
all the permissions of this resource type for this particular
role/user/all_his_roles".
Bryan, what the requirements are in this case? Can you throw-in your
comments?
> We also need to consider this in the permissions matrix. Things like
> "provider create" need an organization associated with them (which is a
> deficiency regardless).
Once the "default working organization" is set in the page header the UI
can use it. (I mean the "organization switcher" - not sure about the
component name.) My assumption is once you change the organization here
you only see objects that belong to the organization (and nothing else).
Is it feasible to use this reference then?
> We would also need to modify some of the items such as "Can See list of
> providers" to something like:
>
> (read, providers, any Provider X in org Y), (update, providers, any
> Provider X in org Y), or (create, providers, Org Y).
>
> This makes it a bit tricky for the UI, because we have to separate out
> read/update from create and show to the user provider tags for
> read/update and organization tags for create. There's nothing really in
> the data layer to tell us this currently.
>
> Thoughts ?
I don't get why would you need that. There is provider-organization
relationship, is it? And you can find user's permission on the
organization. Please elaborate for me ;-)
Please dont take it I am saing "no org-user relationships at all".
Frankly I was an advocate of it, until Bryan put me on the permissions
path. Now I am in doubt again. d=]
--
Later,
Lukas Zapletal | E32E400A
RHN Satellite Engineering
Red Hat Czech s.r.o. Brno
More information about the katello-devel
mailing list