[katello-devel] Updated Permission matrix

Justin Sherrill jsherril at redhat.com
Tue Jul 19 13:22:29 UTC 2011 

On 07/19/2011 07:41 AM, Lukas Zapletal wrote:
> On 07/18/2011 11:51 PM, Partha Aji wrote:
>>> This was incorrect assumption. A user can be tied to (0..n)
>>> >  organizations using permissions (his own role). There will be no
>>> >  User-Org database relationship at all.
>>> >
>> I know the model allows it. But does the existence of such a user 
>> make sense ?
>> I mean what can a user who is part of no org do?
>
> It's more technical thing. User will be able to assign permissions to 
> other users to access their organizations. We still need to implement 
> organization access permission. Why to introduce explicit org-user 
> relationship and check it twice in the code (one time the explicit 
> relationship, second time the permission)?
>
> It could work without this explicit relationship. I think this is the 
> idea, Bryan, is it?

I think this is ok, the only tricky thing is the UI.  We have to be able 
to show a list of organizations a user can log in as.  To get this list 
we would have to go through all a users roles and permissions and detect 
which organization each resource type is and determine what org it is.  
(I.e. if the user has permissions to edit a particular 'product', we 
have to know that the resource type is product and find its org).   Its 
doable, but not necessarily straight forward and could be a bit weird.   
I would add the item 'list orgs a user can access' as a backlog item if 
we are doing it this way.

We also need to consider this in the permissions matrix.  Things like  
"provider create" need an organization associated with them (which is a 
deficiency regardless).

We would also need to modify some of the items such as "Can See list of 
providers"  to something like:

(read, providers, any Provider X in org Y), (update, providers, any 
Provider X in org Y), or (create, providers, Org Y).


This makes it a bit tricky for the UI, because we have to separate out 
read/update  from create and show to the user provider tags for 
read/update and organization tags for create.  There's nothing really in 
the data layer to tell us this currently.

Thoughts ?

-Justin

>> OR are you trying to say that Whoever has the authority to manage , 
>> as in the Creator
>> of the user Foo can setup the "self role" of user Foo in such a way 
>> that Foo can access specific organizations ?
>> In that case we would not want Foo  be able to edit his own 
>> 'self-role' permissions right ???
>
> I don't know what requirements are in this case. I would expect 
> creators to be able to do anything with "their" objects. Except 
> deleting the permission itself.
>
> At the end of the day we should not allow users to modify their "own" 
> (self-role) permissions which have been created by the Katello itself. 
> We may need to flag them somehow as "system created permissions" and 
> disallow users to modify them.
>

More information about the katello-devel mailing list