After trying to create an "org admin" today[1], I am seeing a lot of merit in an idea @jsherrill suggested: When an org is created, create the roles for that org at the same time. You'll note that there at least are 40(!) filters to create for an org admin (feels like 40 factorial mouse clicks). While I appreciate the granularity as being a requirement, it is insane to think anyone would remain sane at the end of this process. As @ehelms has suggested often, I will augment my weekend ranting emails with more details and suggested solutions.
First, the roles and filters need a new UI and searchable fields. As the number of roles and their contained filters grow, the existing UI breaks down. It is not possible to search by resource (correct me if I'm wrong) nor by permission (again, correct me). Given that there are 40 filters that need to be created, this spans two pages of UI: If I edit one of those filters, please please please don't bring me back to page one and clear my search. This will become a problem if my next suggestion is implemented…
Next, for many resource types it would be fantastic to auto-create roles to match. For example, when an organization is created, simultaneously auto-create an org admin and an org auditor. When a host collection is created, create an admin for that. I think the list of auto-roles won't be too long in the end, but it will save users a lot of time if this can be done.
I will also admit to massive confusion on how to assign organizations and locations to roles. If I put a permission into a location, does that mean the permission is granted to that location regardless of location? If I leave the location blank, does that mean any location or none? Having a way to view the resources that a permission applies to in that context is absolutely necessary, in my opinion. Making roles feels like gambling at the moment: Roll the dice, who knows what objects you'll get admin for.
I will suggest that all devs consider creating themselves an org admin user by hand (use hammer-cli-csv if you are felling lazy) and stop using the built in admin user. It is eye-opening. Good luck!
[1] https://github.com/Katello/hammer-cli-csv/blob/master/test/data/roles.csv#L120
···
-- @thomasmckay–
“The leader must aim high, see big, judge widely, thus setting himself apart form the ordinary people who debate in narrow confines.” ~ Charles De Gaulle
“Leadership is about making others better as a result of your presence and making sure that impact lasts in your absence.” ~ Harvard Business School