Does anyone let non-admin users manage roles?

Hello

after some work that has been done on Roles and Organization/Locations
recently we realized that we tend to support very complicated feature. We
allow delegate role editing permissions to non-admin users. When Organizations
and Locations are also enabled, users and filters can be scoped to them too.
With Foreman 1.13, this will be available for Roles as well.

Let's assume we have user scoped to Org A and B and he can edit roles. From
his point of view when editing role Manager, he updates only permissions for
these two orgs but since the role is global it could affect other orgs too. We
could add some check that the user can only edit roles that are associated to
same or less orgs as is his account.

But there's another problem - no organization set actually means "any
organization". So if user removes all org associations he or she would make it
global so affecting all users. Again we could add some extra check for this
case.

There's also a permission for what organizations and locations user can assign
which is automatically checked after each save so user should also have this
permission for all organization he's assigned to.

Another challenge is how to tell users that they can't edit this role because
of reasons described above? We'd have to say "you can't edit this role because
it's being used also elsewhere but we can't tell you where".

Well if you understood all I've written so far maybe it's just my feeling, but
I find all of this unnecessarily complicated. I saw other apps that only
allowed roles modification to super admin users. Other users could still assign
user accounts with existing roles but they couldn't modify the scope of these
roles.

Therefore my question, would simplification like this be considered problem for
any Foreman user? Or can we let only admins edit roles and filters?

Thanks for any feedback

··· -- Marek

Long ago I tried to implement "A user should not be able to create a role
that exceeds their own permissions."[1][2] I didn't really dig into the
code enough to get it right, though.

If we ever hope to go to any sort of multi-tenancy, I think it is important
to allow non "checkbox admins" to administer their own orgs. By "checkbox
admin" I mean the superuser can do everything admins we have now with the
checkbox on the user page. This flag bypasses all RBAC when checking auth.

What I thought would work is a model where a user could never create a
permission that exceeded their own. In this way, a checkbox admin could
create an org admin. The org admin would have all available permissions but
scoped to just a specific org, including roles. This org admin could then
themselves permissions to other users but those permissions could never
exceed the scope of the org.

If I recall correctly, I implemented this by giving users two permissions,
one from the user that created the other user and then the other the normal
set assigned directly. Whenever RBAC was checked, the test would run
through both.

The parent user permissions could be displayed easily on the user in a
separate read only or locked list.

If the parent user gained new permissions (eg. they were added to org B in
addition to the original org A), then they could grant the new permissions
to their users.

In summary, I am not at all a fan of the checkbox admin as the sole power
user model. I believe the checkbox admin should be rare and the more common
admin should be a user with all or a subset of permissions. Having worked
with various RBAC implementations over the years and knowing the difficulty
in getting them right, I really like the one implemented in foreman and
believe it's very close to being completely suitable for multi tenancy use.

[1] Bug #8673: [RBAC] A user should not be able to create a role that exceeds their own permissions. - Foreman
[2] https://github.com/theforeman/foreman/pull/2011

··· On Fri, Aug 26, 2016 at 9:10 AM, Marek Hulán wrote:

Hello

after some work that has been done on Roles and Organization/Locations
recently we realized that we tend to support very complicated feature. We
allow delegate role editing permissions to non-admin users. When
Organizations
and Locations are also enabled, users and filters can be scoped to them
too.
With Foreman 1.13, this will be available for Roles as well.

Let’s assume we have user scoped to Org A and B and he can edit roles. From
his point of view when editing role Manager, he updates only permissions
for
these two orgs but since the role is global it could affect other orgs
too. We
could add some check that the user can only edit roles that are associated
to
same or less orgs as is his account.

But there’s another problem - no organization set actually means “any
organization”. So if user removes all org associations he or she would
make it
global so affecting all users. Again we could add some extra check for this
case.

There’s also a permission for what organizations and locations user can
assign
which is automatically checked after each save so user should also have
this
permission for all organization he’s assigned to.

Another challenge is how to tell users that they can’t edit this role
because
of reasons described above? We’d have to say “you can’t edit this role
because
it’s being used also elsewhere but we can’t tell you where”.

Well if you understood all I’ve written so far maybe it’s just my feeling,
but
I find all of this unnecessarily complicated. I saw other apps that only
allowed roles modification to super admin users. Other users could still
assign
user accounts with existing roles but they couldn’t modify the scope of
these
roles.

Therefore my question, would simplification like this be considered
problem for
any Foreman user? Or can we let only admins edit roles and filters?

Thanks for any feedback


Marek


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.