I'm working on getting all of our user and group mappings going and
associating them with roles.
So start things out i created an admins group that encompasses 2 of our
ldap groups, and I have not been able to find an appropriate role set for
reasonable administration duties. To test I assigned all the available
roles to that group. I did not select 'administrator' checkbox, as that
does not really meet my needs because it doesnt allow RBAC.
Members of that group can't do lots of things.
1: Under content menu the following are missing:
Red Hat Repositories
Sync Status
Docker Tags
2: Under containers menu the following are missing:
New containers
3: Under Content the only category that the 'admins' can create under is
content view.
To clarify, by available you mean the default roles that are present at
install time?
Are you asking for:
A default role that represents being an admin without setting the admin
flag?
What permissions are needed to fill the current gap you have?
···
On Jul 30, 2015 1:58 PM, "Greg Swift" wrote:
I’m working on getting all of our user and group mappings going and
associating them with roles.
So start things out i created an admins group that encompasses 2 of our
ldap groups, and I have not been able to find an appropriate role set for
reasonable administration duties. To test I assigned all the available
roles to that group. I did not select ‘administrator’ checkbox, as that
does not really meet my needs because it doesnt allow RBAC.
Members of that group can’t do lots of things.
1: Under content menu the following are missing:
Red Hat Repositories
Sync Status
Docker Tags
2: Under containers menu the following are missing:
New containers
3: Under Content the only category that the ‘admins’ can create under is
content view.
By default roles I do mean those that are present at install time.
I'm not asking for a default role that is like admin without setting
the admin flags, but I do think that there are a lot of role concepts that
should come out of the box. I realize I can create roles, and try
determining what filters need to be applied.
Roles I would suggest:
'Content Manager' can (See attached for a hammer view of this):
View all the things Content Manager manages (could just extend
Viewer)
'Release Manager' can:
Cut and promote versions
'Release Viewer'
View all the things Release Manager manages (could just extend
Viewer)
I'm sure there might be other types of useful roles, but thats as far as
I've cared.
The process for adding all of these filters to a role is also quite tedious.
1: Goto Roles.
2: Create Role (can't add filters, just name)
3: Go back into the specific role and goto filters, add new filters
4: Select category from drop down, add appropriate filters
5: Save the filter set for this category (can only do one category at a
time)
6: Repeat 3-5 until complete (After you save changes to the filters for a
role, it pushes back to main role screen)
I cant imagine manually creating some of the current roles with that
workflow. The Content Manager role I describe took 6 iterations for 3-5.
···
On Thu, Jul 30, 2015 at 3:20 PM Eric D Helms wrote:
To clarify, by available you mean the default roles that are present at
install time?
Are you asking for:
A default role that represents being an admin without setting the admin
flag?
What permissions are needed to fill the current gap you have?
On Jul 30, 2015 1:58 PM, “Greg Swift” gregswift@gmail.com wrote:
I’m working on getting all of our user and group mappings going and
associating them with roles.
So start things out i created an admins group that encompasses 2 of our
ldap groups, and I have not been able to find an appropriate role set for
reasonable administration duties. To test I assigned all the available
roles to that group. I did not select ‘administrator’ checkbox, as that
does not really meet my needs because it doesnt allow RBAC.
Members of that group can’t do lots of things.
1: Under content menu the following are missing:
Red Hat Repositories
Sync Status
Docker Tags
2: Under containers menu the following are missing:
New containers
3: Under Content the only category that the ‘admins’ can create under is
content view.
Do you think you'd be able to lay out these roles as you have created them
thus far in a github gist or maybe in this issue Feature #10754: User Creation Access Levels - Katello - Foreman ? I ask because that would give
us a starting place to work from since you have already had to work through
figuring out how to define these roles.
···
On Thu, Jul 30, 2015 at 4:53 PM, Greg Swift wrote:
By default roles I do mean those that are present at install time.
I’m not asking for a default role that is like admin without setting
the admin flags, but I do think that there are a lot of role concepts that
should come out of the box. I realize I can create roles, and try
determining what filters need to be applied.
Roles I would suggest:
‘Content Manager’ can (See attached for a hammer view of this):
View all the things Content Manager manages (could just extend
Viewer)
‘Release Manager’ can:
Cut and promote versions
‘Release Viewer’
View all the things Release Manager manages (could just extend
Viewer)
I’m sure there might be other types of useful roles, but thats as far as
I’ve cared.
The process for adding all of these filters to a role is also quite
tedious.
1: Goto Roles.
2: Create Role (can’t add filters, just name)
3: Go back into the specific role and goto filters, add new filters
4: Select category from drop down, add appropriate filters
5: Save the filter set for this category (can only do one category at a
time)
6: Repeat 3-5 until complete (After you save changes to the filters for a
role, it pushes back to main role screen)
I cant imagine manually creating some of the current roles with that
workflow. The Content Manager role I describe took 6 iterations for 3-5.
To clarify, by available you mean the default roles that are present at
install time?
Are you asking for:
A default role that represents being an admin without setting the
admin flag?
What permissions are needed to fill the current gap you have?
On Jul 30, 2015 1:58 PM, “Greg Swift” gregswift@gmail.com wrote:
I’m working on getting all of our user and group mappings going and
associating them with roles.
So start things out i created an admins group that encompasses 2 of our
ldap groups, and I have not been able to find an appropriate role set for
reasonable administration duties. To test I assigned all the available
roles to that group. I did not select ‘administrator’ checkbox, as that
does not really meet my needs because it doesnt allow RBAC.
Members of that group can’t do lots of things.
1: Under content menu the following are missing:
Red Hat Repositories
Sync Status
Docker Tags
2: Under containers menu the following are missing:
New containers
3: Under Content the only category that the ‘admins’ can create under is
content view.
Yes I can do that. thanks for locating an existing ticket for updating.
-greg
···
On Sat, Aug 1, 2015 at 9:56 AM Eric D Helms wrote:
Do you think you’d be able to lay out these roles as you have created them
thus far in a github gist or maybe in this issue Feature #10754: User Creation Access Levels - Katello - Foreman ? I ask because that would
give us a starting place to work from since you have already had to work
through figuring out how to define these roles.
By default roles I do mean those that are present at install time.
I’m not asking for a default role that is like admin without setting
the admin flags, but I do think that there are a lot of role concepts that
should come out of the box. I realize I can create roles, and try
determining what filters need to be applied.
Roles I would suggest:
‘Content Manager’ can (See attached for a hammer view of this):
View all the things Content Manager manages (could just extend
Viewer)
‘Release Manager’ can:
Cut and promote versions
‘Release Viewer’
View all the things Release Manager manages (could just extend
Viewer)
I’m sure there might be other types of useful roles, but thats as far as
I’ve cared.
The process for adding all of these filters to a role is also quite
tedious.
1: Goto Roles.
2: Create Role (can’t add filters, just name)
3: Go back into the specific role and goto filters, add new filters
4: Select category from drop down, add appropriate filters
5: Save the filter set for this category (can only do one category at a
time)
6: Repeat 3-5 until complete (After you save changes to the filters for a
role, it pushes back to main role screen)
I cant imagine manually creating some of the current roles with that
workflow. The Content Manager role I describe took 6 iterations for 3-5.
To clarify, by available you mean the default roles that are present at
install time?
Are you asking for:
A default role that represents being an admin without setting the
admin flag?
What permissions are needed to fill the current gap you have?
On Jul 30, 2015 1:58 PM, “Greg Swift” gregswift@gmail.com wrote:
I’m working on getting all of our user and group mappings going and
associating them with roles.
So start things out i created an admins group that encompasses 2 of our
ldap groups, and I have not been able to find an appropriate role set for
reasonable administration duties. To test I assigned all the available
roles to that group. I did not select ‘administrator’ checkbox, as that
does not really meet my needs because it doesnt allow RBAC.
Members of that group can’t do lots of things.
1: Under content menu the following are missing:
Red Hat Repositories
Sync Status
Docker Tags
2: Under containers menu the following are missing:
New containers
3: Under Content the only category that the ‘admins’ can create under
is content view.