[katello-devel] (Another) System Group permissions question

Justin Sherrill jsherril at redhat.com
Wed May 16 13:28:30 UTC 2012 

On 05/16/2012 04:24 AM, Lukas Zapletal wrote:
> Variation C looks like the easiest path, but I am not sure if I
> understand system group vs environment association correctly. Do we have
> more doco about this?
https://www.redhat.com/archives/katello-devel/2012-May/msg00009.html

By going with C  you'd basically be saying that some user Fred with 
:update can only add systems within Environments A or B.  But if fred 
wants to he can just change the environments thus removing the 
restricution all together. Which gets to the real question: What's the 
goal of this environment locking?

i) To restrict what systems users can add to a system group

ii) A convenience factor in helping organize groups

If the goal is i), then C does not make sense.  If the goal is ii), then 
C should be fine.  All three solutions are fairly trivial to implement.

-Justin

> LZ
>
> On Tue, May 15, 2012 at 01:51:21PM -0400, Justin Sherrill wrote:
>>
>> As part of the system group work, we are adding the ability to
>> optionally associate environments with a system group to lock down
>> group membership to only systems in a set of environments.  So as
>> part of this, how do we restrict who can modify environments
>> associated with a system group?  And further, what is the end goal
>> to modifying environments?
>>
>>
>> We currently have the following verbs for system group permissions:
>>         :create =>  _("Administer System Groups"),
>>         :read =>  _("Read System Group"),
>>         :update =>  _("Modify System Group details and system membership"),
>>         :delete =>  _("Delete System Group"),
>>         :locking =>  _("Lock/Unlock System Group"),
>>         :read_systems =>  _("Read Systems in System Group"),
>>         :update_systems =>  _("Modify Systems in System Group"),
>>         :delete_systems =>  _("Delete Systems in System Group")
>>
>>
>> Initially you would think the :update would be the ideal candidate
>> to allow access to modifying environments.  However, if the goal is
>> to restrict what systems (by environment) another user can add to
>> the group then it wouldn't make sense to give that user access to
>> modify the environments that are restricted.
>>
>> Possibilities are:
>>
>> a)  add a new permission to modify environments
>> b)  turn 'locking' into a new administrative verb and group
>> environment association with that (some sort of Group Admin
>> permission).  To me this makes the most sense, as both associating
>> environments and locking/unlocking are dealing with the same sort of
>> action (whether a system can be added to a group).  So you would end
>> up with something like
>>
>>     :restrict_modification =>  ("Lock/Unlock a group and modify group
>> environment restrictions")
>>
>> c)  Throw the restriction out the window and allow anyone that can
>> modify membership (:update) to be able to modify the associated
>> environments.
>>
>>
>> Thoughts?
>>
>> -Justin
>>
>> _______________________________________________
>> katello-devel mailing list
>> katello-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/katello-devel

More information about the katello-devel mailing list