My apologies for my short email. I generally like the direction we
are going here, of allowing permissions to be set more broadly than at
the user level.

I just wonder, why create a new concept of ORG? Why not extend user
groups to provide this functionality, as I feel like much of what you
are describing is something that I would like to see at the user group
level.

For example, I want some pretty hefty puppet class permissions at
the user group level, allowing me to set which puppet classes users in a
specific group can see in their list of available classes, and tag nodes
with.
Classes would not be restricted to being used by group and some groups
could
be common to all user groups. There are many other enhancements that could
be done to user group permissions in the same vein, that appear to
overlap with ORG functionality.

Perhaps I am missing something fundamental here?

Thanks,
Brian

On Tue, Jul 24, 2012 at 4:41 PM, Greg Blomquist blomquisg@gmail.com > wrote:

Hi all,

I apologize for the long email.
tl;dr: a discussion on the “organizations” feature for foreman; how it’s
used, what’s changed in foreman, open questions.

I’ve been working on a feature for Foreman to add Organizations (aka,
Locations). The concept is to be able to group system objects together
and
control access by users. You can see the code here:
https://github.com/theforeman/foreman/tree/orgs.

Background

With Organizations, an Admin can place system objects (Domains, Smart
Proxies, Compute Resources, etc…) into organizations and grant users
access to organizations. Users (non-admins) can only see system objects
in
their organizations.

Setup

An installer can enable organizations for a foreman instance by setting
the
"single_org" or “multi_org” foreman setting to true (in settings.yaml).
Foreman provides two ways to operate with organizations:

single_org: In single_org mode, an Admin can grant a user access to
several
organizations, but a user must select a single organization from an
Organization Dropdown while working in foreman.
multi_org: In multi_org mode, an Admin grants a user access to several
organizations, and the user can see all system objects in all granted
organizations.

The single_org and multi_org modes do not control how many organizations
a
user can belong to. Users can always belong to multiple orgs regardless
of
this setting (see Current Organization(s) below).

This allows foreman to provide flexibility in managing organizations.

Administration

Administrators are not bound to organizations, so admins can see all
system
objects regardless of organizational association. Users (non-admins) are
assigned to organizations. Users can only see the system objects that
are
associated to their organizations.

Organizationally bound objects

Compute Resources
Domains
Environments
Hostgroups
Installation Media
Smart Proxies

Organizations and Users

When organizations are enabled, Users (specifically, non-admins) can
belong
to multiple organizations. If organizations are enabled, then users can
only see system objects in their organizations. If a user is created and
not granted access to any organizations, the user will not see any
organizationally bound objects. If a system object is created and not
associated to any organizations, then no user will see the object (not
even
those users who have no organization association).

Current Organization(s)

In single_org mode, if a user is associated with only one organization,
that
organization becomes the user’s “current organization”. The current
organization provides foreman with the correct context for scope when
retrieving organizationally bound objects. If the user is associated
with
multiple organizations, the user can select the current organization
from an
organization drop down added to the topbar context. For the user in
multiple organizations, the default current organization is
User.current.organizations.first.

When creating system objects in single_org mode, the user’s current
organization is automatically associated with the system object being
created. For instance, when a user creates Domain “ABC” and has
Organization “X” currently selected. Domain “ABC” is automatically
associated with Organization “X”.

In multi_org mode, the current organizations is the list of organizations
the user is associated with. The user will be able to see all the object
associated to all of their organizations without having to select a
current
organization.

When creating system objects in multi_org mode, the user can select to
add
the system object to any of their organizations via an "Organizations"
tab
on the edit view.

Implementation

There are four key points of implementation:

enabling organizations
tracking current organization(s)
changes to views
updating the default_scope for model associations

Enabling organizations

The config/settings.yaml file contains two new settings: single_org and
multi_org. These settings are mutually exclusive. They can both be
false,
but they can’t both be true. To enable organizations, the installer
should
set either single_org or multi_org to true.

Enabling organizations will enable the routes for organizations as well
as
enable queries based on organization associations.

I haven’t tested enabling organizations, using organizations, then
disabling
organizations.

Tracking current organization(s)

In single_org mode, the current organization is tracked similar to the
current user; in a thread local variable. When a user (non-admin) logs
in,
the first organization (User.current.organizations.first) is selected as
the
current organization. When the user changes the current organization
using
the organization drop down, the thread local variable is updated.

In multi_org mode, the current organizations is always
User.current.organizations.

Changes to views

An organization tab has been added to the form for system objects that
are
organizationally bound. Administrators use the multi-checkbox on the
organizations tab to associated system objects to organizations.

Updating default_scope for model associations

In rails 3.0, the default_scope unnamed scope does not allow lambdas or
blocks. The default_scope is evaluated immediately upon definition
instead
of being evaluated at the time of SQL composition. (This has been fixed
in
rails 3.1 and moving forward:
https://rails.lighthouseapp.com/projects/8994/tickets/1812-default). In
order to restrict queries for organizationally bound system objects, the
processing of default_scope needed to change to allow a lambda to grab
the
currently selected organization(s) based on the current user. This
change
is implemented as an initializer monkey patch of
ActiveRecord::Base.current_scoped_methods.

The side effect of this monkey patch is that it’s not possible to stack
default_scopes that use lambdas and non-lambdas. For default_scopes that
use lambdas, all the default scoping should be contained in the lambda.

With lambdas available for default_scope, the model object associations
are
fairly straightforward. The class method Organization.apply_org_scope
will
scope the caller on its relationship with organizations through the
current
organization(s). Each model object for organizationally bound system
objects has a default_scope definition that calls
Organization.apply_org_scope in addition to any previous default scoping
that was applied before the organizations feature.

Open questions

What are other objects that should be organizationally bound?

puppet classes
hosts

How should user filters interact with organizational filtering?
When a user tries to create Domain “ABC” in Organization “X” and Domain
"ABC" already exists in Organization “Y”, the user will receive an error
saying that “ABC” already exists. However, the user cannot access Domain
"ABC". How should the foreman deal with this situation?

indicate the that Domain already exists, but the user does not have
access
to the Domain in that organization?
alert administrators that a user tried to add Domain “ABC” to an
different
Organization, and that perhaps the admin needs to associate the existing
"ABC" Domain with more orgs?
other ideas?

Should there be a “default organization” setting a user can select that
sets
the default current organization for the user upon login?
Is there a better way to represent the config/settings.yaml changes?
How do organizations and user groups coexist, if at all?
More questions?

Thanks!

---

Greg

I think that there should be both an expansion of the user group system
and how permissions work as well as organizations. User groups and
organizations do collide in a semantic way, though, so maybe user groups
need to be renamed to “permission groups” (that name kind of sucks, too.
Suggestions?). As the new names would suggest, permissions that can be
applied to groups of users (whether inside an organization or not) would
then be stored as “permission group” object and then users inside or
outside an organization can be placed into a permission group.

As for whether organizations are necessary, I definitely do think that
they are a worthwhile addition to Foreman. When looking at a tool like
Katello, it’s clear how powerful an organization system can become to
support multi-tenant installations. That being said, having a way that
Foreman can run as a single org (without any of the organization-related
language/tools) is important, too, and allows a smooth upgrade path for
users who are already happily using Foreman and don’t need the organization
tools.

Brian, as someone who is already using Foreman with several different
customer accounts, I’m interested in how useful you see more global
permissions groups along with organizations vs. a single user group model.
Thoughts?

On Thu, Jul 26, 2012 at 3:22 PM, Brian Gupta brian.gupta@brandorr.comwrote:

My apologies for my short email. I generally like the direction we
are going here, of allowing permissions to be set more broadly than at
the user level.

I just wonder, why create a new concept of ORG? Why not extend user
groups to provide this functionality, as I feel like much of what you
are describing is something that I would like to see at the user group
level.

For example, I want some pretty hefty puppet class permissions at
the user group level, allowing me to set which puppet classes users in a
specific group can see in their list of available classes, and tag nodes
with.
Classes would not be restricted to being used by group and some groups
could
be common to all user groups. There are many other enhancements that could
be done to user group permissions in the same vein, that appear to
overlap with ORG functionality.

Perhaps I am missing something fundamental here?

Thanks,
Brian

On Tue, Jul 24, 2012 at 4:41 PM, Greg Blomquist blomquisg@gmail.com >> wrote:

Hi all,

I apologize for the long email.
tl;dr: a discussion on the “organizations” feature for foreman; how it’s
used, what’s changed in foreman, open questions.

I’ve been working on a feature for Foreman to add Organizations (aka,
Locations). The concept is to be able to group system objects together
and
control access by users. You can see the code here:
https://github.com/theforeman/foreman/tree/orgs.

Background

With Organizations, an Admin can place system objects (Domains, Smart
Proxies, Compute Resources, etc…) into organizations and grant users
access to organizations. Users (non-admins) can only see system
objects in
their organizations.

Setup

An installer can enable organizations for a foreman instance by setting
the
"single_org" or “multi_org” foreman setting to true (in settings.yaml).
Foreman provides two ways to operate with organizations:

single_org: In single_org mode, an Admin can grant a user access to
several
organizations, but a user must select a single organization from an
Organization Dropdown while working in foreman.
multi_org: In multi_org mode, an Admin grants a user access to several
organizations, and the user can see all system objects in all granted
organizations.

The single_org and multi_org modes do not control how many
organizations a
user can belong to. Users can always belong to multiple orgs
regardless of
this setting (see Current Organization(s) below).

This allows foreman to provide flexibility in managing organizations.

Administration

Administrators are not bound to organizations, so admins can see all
system
objects regardless of organizational association. Users (non-admins)
are
assigned to organizations. Users can only see the system objects that
are
associated to their organizations.

Organizationally bound objects

Compute Resources
Domains
Environments
Hostgroups
Installation Media
Smart Proxies

Organizations and Users

When organizations are enabled, Users (specifically, non-admins) can
belong
to multiple organizations. If organizations are enabled, then users can
only see system objects in their organizations. If a user is created
and
not granted access to any organizations, the user will not see any
organizationally bound objects. If a system object is created and not
associated to any organizations, then no user will see the object (not
even
those users who have no organization association).

Current Organization(s)

In single_org mode, if a user is associated with only one organization,
that
organization becomes the user’s “current organization”. The current
organization provides foreman with the correct context for scope when
retrieving organizationally bound objects. If the user is associated
with
multiple organizations, the user can select the current organization
from an
organization drop down added to the topbar context. For the user in
multiple organizations, the default current organization is
User.current.organizations.first.

When creating system objects in single_org mode, the user’s current
organization is automatically associated with the system object being
created. For instance, when a user creates Domain “ABC” and has
Organization “X” currently selected. Domain “ABC” is automatically
associated with Organization “X”.

In multi_org mode, the current organizations is the list of
organizations
the user is associated with. The user will be able to see all the
object
associated to all of their organizations without having to select a
current
organization.

When creating system objects in multi_org mode, the user can select to
add
the system object to any of their organizations via an "Organizations"
tab
on the edit view.

Implementation

There are four key points of implementation:

enabling organizations
tracking current organization(s)
changes to views
updating the default_scope for model associations

Enabling organizations

The config/settings.yaml file contains two new settings: single_org and
multi_org. These settings are mutually exclusive. They can both be
false,
but they can’t both be true. To enable organizations, the installer
should
set either single_org or multi_org to true.

Enabling organizations will enable the routes for organizations as well
as
enable queries based on organization associations.

I haven’t tested enabling organizations, using organizations, then
disabling
organizations.

Tracking current organization(s)

In single_org mode, the current organization is tracked similar to the
current user; in a thread local variable. When a user (non-admin) logs
in,
the first organization (User.current.organizations.first) is selected
as the
current organization. When the user changes the current organization
using
the organization drop down, the thread local variable is updated.

In multi_org mode, the current organizations is always
User.current.organizations.

Changes to views

An organization tab has been added to the form for system objects that
are
organizationally bound. Administrators use the multi-checkbox on the
organizations tab to associated system objects to organizations.

Updating default_scope for model associations

In rails 3.0, the default_scope unnamed scope does not allow lambdas or
blocks. The default_scope is evaluated immediately upon definition
instead
of being evaluated at the time of SQL composition. (This has been
fixed in
rails 3.1 and moving forward:
https://rails.lighthouseapp.com/projects/8994/tickets/1812-default).
In
order to restrict queries for organizationally bound system objects, the
processing of default_scope needed to change to allow a lambda to grab
the
currently selected organization(s) based on the current user. This
change
is implemented as an initializer monkey patch of
ActiveRecord::Base.current_scoped_methods.

The side effect of this monkey patch is that it’s not possible to stack
default_scopes that use lambdas and non-lambdas. For default_scopes
that
use lambdas, all the default scoping should be contained in the lambda.

With lambdas available for default_scope, the model object associations
are
fairly straightforward. The class method Organization.apply_org_scope
will
scope the caller on its relationship with organizations through the
current
organization(s). Each model object for organizationally bound system
objects has a default_scope definition that calls
Organization.apply_org_scope in addition to any previous default scoping
that was applied before the organizations feature.

Open questions

What are other objects that should be organizationally bound?

puppet classes
hosts

How should user filters interact with organizational filtering?
When a user tries to create Domain “ABC” in Organization “X” and Domain
"ABC" already exists in Organization “Y”, the user will receive an error
saying that “ABC” already exists. However, the user cannot access
Domain
"ABC". How should the foreman deal with this situation?

indicate the that Domain already exists, but the user does not have
access
to the Domain in that organization?
alert administrators that a user tried to add Domain “ABC” to an
different
Organization, and that perhaps the admin needs to associate the existing
"ABC" Domain with more orgs?
other ideas?

Should there be a “default organization” setting a user can select that
sets
the default current organization for the user upon login?
Is there a better way to represent the config/settings.yaml changes?
How do organizations and user groups coexist, if at all?
More questions?

Thanks!

---

Greg

–b k

On Fri, Jul 27, 2012 at 11:16 AM, Sam Kottler sam@kottlerdevelopment.comwrote:

I think that there should be both an expansion of the user group system
and how permissions work as well as organizations. User groups and
organizations do collide in a semantic way, though, so maybe user groups
need to be renamed to “permission groups” (that name kind of sucks, too.
Suggestions?). As the new names would suggest, permissions that can be
applied to groups of users (whether inside an organization or not) would
then be stored as “permission group” object and then users inside or
outside an organization can be placed into a permission group.

As for whether organizations are necessary, I definitely do think that
they are a worthwhile addition to Foreman. When looking at a tool like
Katello, it’s clear how powerful an organization system can become to
support multi-tenant installations. That being said, having a way that
Foreman can run as a single org (without any of the organization-related
language/tools) is important, too, and allows a smooth upgrade path for
users who are already happily using Foreman and don’t need the organization
tools.

Brian, as someone who is already using Foreman with several different
customer accounts, I’m interested in how useful you see more global
permissions groups along with organizations vs. a single user group model.
Thoughts?

On Thu, Jul 26, 2012 at 3:22 PM, Brian Gupta brian.gupta@brandorr.comwrote:

My apologies for my short email. I generally like the direction we
are going here, of allowing permissions to be set more broadly than at
the user level.

I just wonder, why create a new concept of ORG? Why not extend user
groups to provide this functionality, as I feel like much of what you
are describing is something that I would like to see at the user group
level.

For example, I want some pretty hefty puppet class permissions at
the user group level, allowing me to set which puppet classes users in a
specific group can see in their list of available classes, and tag nodes
with.
Classes would not be restricted to being used by group and some groups
could
be common to all user groups. There are many other enhancements that
could
be done to user group permissions in the same vein, that appear to
overlap with ORG functionality.

Perhaps I am missing something fundamental here?

Thanks,
Brian

On Tue, Jul 24, 2012 at 4:41 PM, Greg Blomquist blomquisg@gmail.com >>> wrote:

Hi all,

I apologize for the long email.
tl;dr: a discussion on the “organizations” feature for foreman; how
it’s
used, what’s changed in foreman, open questions.

I’ve been working on a feature for Foreman to add Organizations (aka,
Locations). The concept is to be able to group system objects
together and
control access by users. You can see the code here:
https://github.com/theforeman/foreman/tree/orgs.

Background

With Organizations, an Admin can place system objects (Domains, Smart
Proxies, Compute Resources, etc…) into organizations and grant users
access to organizations. Users (non-admins) can only see system
objects in
their organizations.

Setup

An installer can enable organizations for a foreman instance by
setting the
"single_org" or “multi_org” foreman setting to true (in settings.yaml).
Foreman provides two ways to operate with organizations:

single_org: In single_org mode, an Admin can grant a user access to
several
organizations, but a user must select a single organization from an
Organization Dropdown while working in foreman.
multi_org: In multi_org mode, an Admin grants a user access to several
organizations, and the user can see all system objects in all granted
organizations.

The single_org and multi_org modes do not control how many
organizations a
user can belong to. Users can always belong to multiple orgs
regardless of
this setting (see Current Organization(s) below).

This allows foreman to provide flexibility in managing organizations.

Administration

Administrators are not bound to organizations, so admins can see all
system
objects regardless of organizational association. Users (non-admins)
are
assigned to organizations. Users can only see the system objects that
are
associated to their organizations.

Organizationally bound objects

Compute Resources
Domains
Environments
Hostgroups
Installation Media
Smart Proxies

Organizations and Users

When organizations are enabled, Users (specifically, non-admins) can
belong
to multiple organizations. If organizations are enabled, then users
can
only see system objects in their organizations. If a user is created
and
not granted access to any organizations, the user will not see any
organizationally bound objects. If a system object is created and not
associated to any organizations, then no user will see the object (not
even
those users who have no organization association).

Current Organization(s)

In single_org mode, if a user is associated with only one
organization, that
organization becomes the user’s “current organization”. The current
organization provides foreman with the correct context for scope when
retrieving organizationally bound objects. If the user is associated
with
multiple organizations, the user can select the current organization
from an
organization drop down added to the topbar context. For the user in
multiple organizations, the default current organization is
User.current.organizations.first.

When creating system objects in single_org mode, the user’s current
organization is automatically associated with the system object being
created. For instance, when a user creates Domain “ABC” and has
Organization “X” currently selected. Domain “ABC” is automatically
associated with Organization “X”.

In multi_org mode, the current organizations is the list of
organizations
the user is associated with. The user will be able to see all the
object
associated to all of their organizations without having to select a
current
organization.

When creating system objects in multi_org mode, the user can select to
add
the system object to any of their organizations via an "Organizations"
tab
on the edit view.

Implementation

There are four key points of implementation:

enabling organizations
tracking current organization(s)
changes to views
updating the default_scope for model associations

Enabling organizations

The config/settings.yaml file contains two new settings: single_org
and
multi_org. These settings are mutually exclusive. They can both be
false,
but they can’t both be true. To enable organizations, the installer
should
set either single_org or multi_org to true.

Enabling organizations will enable the routes for organizations as
well as
enable queries based on organization associations.

I haven’t tested enabling organizations, using organizations, then
disabling
organizations.

Tracking current organization(s)

In single_org mode, the current organization is tracked similar to the
current user; in a thread local variable. When a user (non-admin)
logs in,
the first organization (User.current.organizations.first) is selected
as the
current organization. When the user changes the current organization
using
the organization drop down, the thread local variable is updated.

In multi_org mode, the current organizations is always
User.current.organizations.

Changes to views

An organization tab has been added to the form for system objects that
are
organizationally bound. Administrators use the multi-checkbox on the
organizations tab to associated system objects to organizations.

Updating default_scope for model associations

In rails 3.0, the default_scope unnamed scope does not allow lambdas or
blocks. The default_scope is evaluated immediately upon definition
instead
of being evaluated at the time of SQL composition. (This has been
fixed in
rails 3.1 and moving forward:
https://rails.lighthouseapp.com/projects/8994/tickets/1812-default).
In
order to restrict queries for organizationally bound system objects,
the
processing of default_scope needed to change to allow a lambda to grab
the
currently selected organization(s) based on the current user. This
change
is implemented as an initializer monkey patch of
ActiveRecord::Base.current_scoped_methods.

The side effect of this monkey patch is that it’s not possible to stack
default_scopes that use lambdas and non-lambdas. For default_scopes
that
use lambdas, all the default scoping should be contained in the lambda.

With lambdas available for default_scope, the model object
associations are
fairly straightforward. The class method Organization.apply_org_scope
will
scope the caller on its relationship with organizations through the
current
organization(s). Each model object for organizationally bound system
objects has a default_scope definition that calls
Organization.apply_org_scope in addition to any previous default
scoping
that was applied before the organizations feature.

Open questions

What are other objects that should be organizationally bound?

puppet classes
hosts

How should user filters interact with organizational filtering?
When a user tries to create Domain “ABC” in Organization “X” and Domain
"ABC" already exists in Organization “Y”, the user will receive an
error
saying that “ABC” already exists. However, the user cannot access
Domain
"ABC". How should the foreman deal with this situation?

indicate the that Domain already exists, but the user does not have
access
to the Domain in that organization?
alert administrators that a user tried to add Domain “ABC” to an
different
Organization, and that perhaps the admin needs to associate the
existing
"ABC" Domain with more orgs?
other ideas?

Should there be a “default organization” setting a user can select
that sets
the default current organization for the user upon login?
Is there a better way to represent the config/settings.yaml changes?
How do organizations and user groups coexist, if at all?
More questions?

Thanks!

---

Greg

-Brian

On Fri, Jul 27, 2012 at 11:16 AM, Sam Kottler > sam@kottlerdevelopment.com wrote:

I think that there should be both an expansion of the user group system
and
how permissions work as well as organizations. User groups and
organizations
do collide in a semantic way, though, so maybe user groups need to be
renamed to “permission groups” (that name kind of sucks, too.
Suggestions?).
As the new names would suggest, permissions that can be applied to
groups of
users (whether inside an organization or not) would then be stored as
"permission group" object and then users inside or outside an
organization
can be placed into a permission group.

As for whether organizations are necessary, I definitely do think that
they
are a worthwhile addition to Foreman. When looking at a tool like
Katello,
it’s clear how powerful an organization system can become to support
multi-tenant installations. That being said, having a way that Foreman
can
run as a single org (without any of the organization-related
language/tools)
is important, too, and allows a smooth upgrade path for users who are
already happily using Foreman and don’t need the organization tools.

Brian, as someone who is already using Foreman with several different
customer accounts, I’m interested in how useful you see more global
permissions groups along with organizations vs. a single user group
model.
Thoughts?

On Thu, Jul 26, 2012 at 3:22 PM, Brian Gupta brian.gupta@brandorr.com > > wrote:

My apologies for my short email. I generally like the direction we
are going here, of allowing permissions to be set more broadly than at
the user level.

I just wonder, why create a new concept of ORG? Why not extend user
groups to provide this functionality, as I feel like much of what you
are describing is something that I would like to see at the user group
level.

For example, I want some pretty hefty puppet class permissions at
the user group level, allowing me to set which puppet classes users in a
specific group can see in their list of available classes, and tag nodes
with.
Classes would not be restricted to being used by group and some groups
could
be common to all user groups. There are many other enhancements that
could

be done to user group permissions in the same vein, that appear to
overlap with ORG functionality.

Perhaps I am missing something fundamental here?

Thanks,
Brian

On Tue, Jul 24, 2012 at 4:41 PM, Greg Blomquist blomquisg@gmail.com > >> wrote:

Hi all,

I apologize for the long email.
tl;dr: a discussion on the “organizations” feature for foreman; how
it’s

used, what’s changed in foreman, open questions.

I’ve been working on a feature for Foreman to add Organizations (aka,
Locations). The concept is to be able to group system objects
together

and
control access by users. You can see the code here:
https://github.com/theforeman/foreman/tree/orgs.

Background

With Organizations, an Admin can place system objects (Domains, Smart
Proxies, Compute Resources, etc…) into organizations and grant users
access to organizations. Users (non-admins) can only see system
objects

in
their organizations.

Setup

An installer can enable organizations for a foreman instance by
setting

the
"single_org" or “multi_org” foreman setting to true (in
settings.yaml).

Foreman provides two ways to operate with organizations:

single_org: In single_org mode, an Admin can grant a user access to
several
organizations, but a user must select a single organization from an
Organization Dropdown while working in foreman.
multi_org: In multi_org mode, an Admin grants a user access to
several

organizations, and the user can see all system objects in all granted
organizations.

The single_org and multi_org modes do not control how many
organizations

a
user can belong to. Users can always belong to multiple orgs
regardless

of
this setting (see Current Organization(s) below).

This allows foreman to provide flexibility in managing organizations.

Administration

Administrators are not bound to organizations, so admins can see all
system
objects regardless of organizational association. Users (non-admins)
are
assigned to organizations. Users can only see the system objects that
are
associated to their organizations.

Organizationally bound objects

Compute Resources
Domains
Environments
Hostgroups
Installation Media
Smart Proxies

Organizations and Users

When organizations are enabled, Users (specifically, non-admins) can
belong
to multiple organizations. If organizations are enabled, then users
can

only see system objects in their organizations. If a user is created
and
not granted access to any organizations, the user will not see any
organizationally bound objects. If a system object is created and not
associated to any organizations, then no user will see the object (not
even
those users who have no organization association).

Current Organization(s)

In single_org mode, if a user is associated with only one
organization,

that
organization becomes the user’s “current organization”. The current
organization provides foreman with the correct context for scope when
retrieving organizationally bound objects. If the user is associated
with
multiple organizations, the user can select the current organization
from an
organization drop down added to the topbar context. For the user in
multiple organizations, the default current organization is
User.current.organizations.first.

When creating system objects in single_org mode, the user’s current
organization is automatically associated with the system object being
created. For instance, when a user creates Domain “ABC” and has
Organization “X” currently selected. Domain “ABC” is automatically
associated with Organization “X”.

In multi_org mode, the current organizations is the list of
organizations
the user is associated with. The user will be able to see all the
object
associated to all of their organizations without having to select a
current
organization.

When creating system objects in multi_org mode, the user can select to
add
the system object to any of their organizations via an "Organizations"
tab
on the edit view.

Implementation

There are four key points of implementation:

enabling organizations
tracking current organization(s)
changes to views
updating the default_scope for model associations

Enabling organizations

The config/settings.yaml file contains two new settings: single_org
and

multi_org. These settings are mutually exclusive. They can both be
false,
but they can’t both be true. To enable organizations, the installer
should
set either single_org or multi_org to true.

Enabling organizations will enable the routes for organizations as
well

as
enable queries based on organization associations.

I haven’t tested enabling organizations, using organizations, then
disabling
organizations.

Tracking current organization(s)

In single_org mode, the current organization is tracked similar to the
current user; in a thread local variable. When a user (non-admin)
logs

in,
the first organization (User.current.organizations.first) is selected
as

the
current organization. When the user changes the current organization
using
the organization drop down, the thread local variable is updated.

In multi_org mode, the current organizations is always
User.current.organizations.

Changes to views

An organization tab has been added to the form for system objects that
are
organizationally bound. Administrators use the multi-checkbox on the
organizations tab to associated system objects to organizations.

Updating default_scope for model associations

In rails 3.0, the default_scope unnamed scope does not allow lambdas
or

blocks. The default_scope is evaluated immediately upon definition
instead
of being evaluated at the time of SQL composition. (This has been
fixed

in
rails 3.1 and moving forward:
https://rails.lighthouseapp.com/projects/8994/tickets/1812-default).
In

order to restrict queries for organizationally bound system objects,
the

processing of default_scope needed to change to allow a lambda to grab
the
currently selected organization(s) based on the current user. This
change
is implemented as an initializer monkey patch of
ActiveRecord::Base.current_scoped_methods.

The side effect of this monkey patch is that it’s not possible to
stack

default_scopes that use lambdas and non-lambdas. For default_scopes
that
use lambdas, all the default scoping should be contained in the
lambda.

With lambdas available for default_scope, the model object
associations

are
fairly straightforward. The class method Organization.apply_org_scope
will
scope the caller on its relationship with organizations through the
current
organization(s). Each model object for organizationally bound system
objects has a default_scope definition that calls
Organization.apply_org_scope in addition to any previous default
scoping

that was applied before the organizations feature.

Open questions

What are other objects that should be organizationally bound?

puppet classes
hosts

How should user filters interact with organizational filtering?
When a user tries to create Domain “ABC” in Organization “X” and
Domain

“ABC” already exists in Organization “Y”, the user will receive an
error

saying that “ABC” already exists. However, the user cannot access
Domain
"ABC". How should the foreman deal with this situation?

indicate the that Domain already exists, but the user does not have
access
to the Domain in that organization?
alert administrators that a user tried to add Domain “ABC” to an
different
Organization, and that perhaps the admin needs to associate the
existing

“ABC” Domain with more orgs?
other ideas?

Should there be a “default organization” setting a user can select
that

sets
the default current organization for the user upon login?
Is there a better way to represent the config/settings.yaml changes?
How do organizations and user groups coexist, if at all?
More questions?

Thanks!

---

Greg

Ohad

-Brian

On Fri, Jul 27, 2012 at 11:16 AM, Sam Kottler >> sam@kottlerdevelopment.com wrote:

I think that there should be both an expansion of the user group system
and
how permissions work as well as organizations. User groups and
organizations
do collide in a semantic way, though, so maybe user groups need to be
renamed to “permission groups” (that name kind of sucks, too.
Suggestions?).
As the new names would suggest, permissions that can be applied to
groups of
users (whether inside an organization or not) would then be stored as
"permission group" object and then users inside or outside an
organization
can be placed into a permission group.

As for whether organizations are necessary, I definitely do think that
they
are a worthwhile addition to Foreman. When looking at a tool like
Katello,
it’s clear how powerful an organization system can become to support
multi-tenant installations. That being said, having a way that Foreman
can
run as a single org (without any of the organization-related
language/tools)
is important, too, and allows a smooth upgrade path for users who are
already happily using Foreman and don’t need the organization tools.

Brian, as someone who is already using Foreman with several different
customer accounts, I’m interested in how useful you see more global
permissions groups along with organizations vs. a single user group
model.
Thoughts?

On Thu, Jul 26, 2012 at 3:22 PM, Brian Gupta brian.gupta@brandorr.com >> > wrote:

My apologies for my short email. I generally like the direction we
are going here, of allowing permissions to be set more broadly than at
the user level.

I just wonder, why create a new concept of ORG? Why not extend user
groups to provide this functionality, as I feel like much of what you
are describing is something that I would like to see at the user group
level.

For example, I want some pretty hefty puppet class permissions at
the user group level, allowing me to set which puppet classes users in
a
specific group can see in their list of available classes, and tag
nodes
with.
Classes would not be restricted to being used by group and some groups
could
be common to all user groups. There are many other enhancements that
could
be done to user group permissions in the same vein, that appear to
overlap with ORG functionality.

Perhaps I am missing something fundamental here?

Thanks,
Brian

On Tue, Jul 24, 2012 at 4:41 PM, Greg Blomquist blomquisg@gmail.com >> >> wrote:

Hi all,

I apologize for the long email.
tl;dr: a discussion on the “organizations” feature for foreman; how
it’s
used, what’s changed in foreman, open questions.

I’ve been working on a feature for Foreman to add Organizations (aka,
Locations). The concept is to be able to group system objects
together
and
control access by users. You can see the code here:
https://github.com/theforeman/foreman/tree/orgs.

Background

With Organizations, an Admin can place system objects (Domains, Smart
Proxies, Compute Resources, etc…) into organizations and grant
users
access to organizations. Users (non-admins) can only see system
objects
in
their organizations.

Setup

An installer can enable organizations for a foreman instance by
setting
the
"single_org" or “multi_org” foreman setting to true (in
settings.yaml).
Foreman provides two ways to operate with organizations:

single_org: In single_org mode, an Admin can grant a user access to
several
organizations, but a user must select a single organization from an
Organization Dropdown while working in foreman.
multi_org: In multi_org mode, an Admin grants a user access to
several
organizations, and the user can see all system objects in all granted
organizations.

The single_org and multi_org modes do not control how many
organizations
a
user can belong to. Users can always belong to multiple orgs
regardless
of
this setting (see Current Organization(s) below).

This allows foreman to provide flexibility in managing organizations.

Administration

Administrators are not bound to organizations, so admins can see all
system
objects regardless of organizational association. Users (non-admins)
are
assigned to organizations. Users can only see the system objects
that
are
associated to their organizations.

Organizationally bound objects

Compute Resources
Domains
Environments
Hostgroups
Installation Media
Smart Proxies

Organizations and Users

When organizations are enabled, Users (specifically, non-admins) can
belong
to multiple organizations. If organizations are enabled, then users
can
only see system objects in their organizations. If a user is created
and
not granted access to any organizations, the user will not see any
organizationally bound objects. If a system object is created and
not
associated to any organizations, then no user will see the object
(not
even
those users who have no organization association).

Current Organization(s)

In single_org mode, if a user is associated with only one
organization,
that
organization becomes the user’s “current organization”. The current
organization provides foreman with the correct context for scope when
retrieving organizationally bound objects. If the user is associated
with
multiple organizations, the user can select the current organization
from an
organization drop down added to the topbar context. For the user in
multiple organizations, the default current organization is
User.current.organizations.first.

When creating system objects in single_org mode, the user’s current
organization is automatically associated with the system object being
created. For instance, when a user creates Domain “ABC” and has
Organization “X” currently selected. Domain “ABC” is automatically
associated with Organization “X”.

In multi_org mode, the current organizations is the list of
organizations
the user is associated with. The user will be able to see all the
object
associated to all of their organizations without having to select a
current
organization.

When creating system objects in multi_org mode, the user can select
to
add
the system object to any of their organizations via an
"Organizations"
tab
on the edit view.

Implementation

There are four key points of implementation:

enabling organizations
tracking current organization(s)
changes to views
updating the default_scope for model associations

Enabling organizations

The config/settings.yaml file contains two new settings: single_org
and
multi_org. These settings are mutually exclusive. They can both be
false,
but they can’t both be true. To enable organizations, the installer
should
set either single_org or multi_org to true.

Enabling organizations will enable the routes for organizations as
well
as
enable queries based on organization associations.

I haven’t tested enabling organizations, using organizations, then
disabling
organizations.

Tracking current organization(s)

In single_org mode, the current organization is tracked similar to
the
current user; in a thread local variable. When a user (non-admin)
logs
in,
the first organization (User.current.organizations.first) is selected
as
the
current organization. When the user changes the current organization
using
the organization drop down, the thread local variable is updated.

In multi_org mode, the current organizations is always
User.current.organizations.

Changes to views

An organization tab has been added to the form for system objects
that
are
organizationally bound. Administrators use the multi-checkbox on the
organizations tab to associated system objects to organizations.

Updating default_scope for model associations

In rails 3.0, the default_scope unnamed scope does not allow lambdas
or
blocks. The default_scope is evaluated immediately upon definition
instead
of being evaluated at the time of SQL composition. (This has been
fixed
in
rails 3.1 and moving forward:
https://rails.lighthouseapp.com/projects/8994/tickets/1812-default).
In
order to restrict queries for organizationally bound system objects,
the
processing of default_scope needed to change to allow a lambda to
grab
the
currently selected organization(s) based on the current user. This
change
is implemented as an initializer monkey patch of
ActiveRecord::Base.current_scoped_methods.

The side effect of this monkey patch is that it’s not possible to
stack
default_scopes that use lambdas and non-lambdas. For default_scopes
that
use lambdas, all the default scoping should be contained in the
lambda.

With lambdas available for default_scope, the model object
associations
are
fairly straightforward. The class method
Organization.apply_org_scope
will
scope the caller on its relationship with organizations through the
current
organization(s). Each model object for organizationally bound system
objects has a default_scope definition that calls
Organization.apply_org_scope in addition to any previous default
scoping
that was applied before the organizations feature.

Open questions

What are other objects that should be organizationally bound?

puppet classes
hosts

How should user filters interact with organizational filtering?
When a user tries to create Domain “ABC” in Organization “X” and
Domain
"ABC" already exists in Organization “Y”, the user will receive an
error
saying that “ABC” already exists. However, the user cannot access
Domain
"ABC". How should the foreman deal with this situation?

indicate the that Domain already exists, but the user does not have
access
to the Domain in that organization?
alert administrators that a user tried to add Domain “ABC” to an
different
Organization, and that perhaps the admin needs to associate the
existing
"ABC" Domain with more orgs?
other ideas?

Should there be a “default organization” setting a user can select
that
sets
the default current organization for the user upon login?
Is there a better way to represent the config/settings.yaml changes?
How do organizations and user groups coexist, if at all?
More questions?

Thanks!

---

Greg

If not, then I
envision location being an atribute of a resource group, or individual
resource.

-Brian

Ohad

-Brian

On Fri, Jul 27, 2012 at 11:16 AM, Sam Kottler > >> sam@kottlerdevelopment.com wrote:

I think that there should be both an expansion of the user group
system

and
how permissions work as well as organizations. User groups and
organizations
do collide in a semantic way, though, so maybe user groups need to be
renamed to “permission groups” (that name kind of sucks, too.
Suggestions?).
As the new names would suggest, permissions that can be applied to
groups of
users (whether inside an organization or not) would then be stored as
"permission group" object and then users inside or outside an
organization
can be placed into a permission group.

As for whether organizations are necessary, I definitely do think that
they
are a worthwhile addition to Foreman. When looking at a tool like
Katello,
it’s clear how powerful an organization system can become to support
multi-tenant installations. That being said, having a way that Foreman
can
run as a single org (without any of the organization-related
language/tools)
is important, too, and allows a smooth upgrade path for users who are
already happily using Foreman and don’t need the organization tools.

Brian, as someone who is already using Foreman with several different
customer accounts, I’m interested in how useful you see more global
permissions groups along with organizations vs. a single user group
model.
Thoughts?

On Thu, Jul 26, 2012 at 3:22 PM, Brian Gupta < > brian.gupta@brandorr.com> > >> > wrote:

My apologies for my short email. I generally like the direction we
are going here, of allowing permissions to be set more broadly than
at

the user level.

I just wonder, why create a new concept of ORG? Why not extend user
groups to provide this functionality, as I feel like much of what you
are describing is something that I would like to see at the user
group

level.

For example, I want some pretty hefty puppet class permissions at
the user group level, allowing me to set which puppet classes users
in

a
specific group can see in their list of available classes, and tag
nodes
with.
Classes would not be restricted to being used by group and some
groups

could
be common to all user groups. There are many other enhancements that
could
be done to user group permissions in the same vein, that appear to
overlap with ORG functionality.

Perhaps I am missing something fundamental here?

Thanks,
Brian

On Tue, Jul 24, 2012 at 4:41 PM, Greg Blomquist <blomquisg@gmail.com > > > >> >> wrote:

Hi all,

I apologize for the long email.
tl;dr: a discussion on the “organizations” feature for foreman; how
it’s
used, what’s changed in foreman, open questions.

I’ve been working on a feature for Foreman to add Organizations
(aka,

Locations). The concept is to be able to group system objects
together
and
control access by users. You can see the code here:
https://github.com/theforeman/foreman/tree/orgs.

Background

With Organizations, an Admin can place system objects (Domains,
Smart

Proxies, Compute Resources, etc…) into organizations and grant
users
access to organizations. Users (non-admins) can only see system
objects
in
their organizations.

Setup

An installer can enable organizations for a foreman instance by
setting
the
"single_org" or “multi_org” foreman setting to true (in
settings.yaml).
Foreman provides two ways to operate with organizations:

single_org: In single_org mode, an Admin can grant a user access to
several
organizations, but a user must select a single organization from an
Organization Dropdown while working in foreman.
multi_org: In multi_org mode, an Admin grants a user access to
several
organizations, and the user can see all system objects in all
granted

organizations.

The single_org and multi_org modes do not control how many
organizations
a
user can belong to. Users can always belong to multiple orgs
regardless
of
this setting (see Current Organization(s) below).

This allows foreman to provide flexibility in managing
organizations.

Administration

Administrators are not bound to organizations, so admins can see
all

system
objects regardless of organizational association. Users
(non-admins)

are
assigned to organizations. Users can only see the system objects
that
are
associated to their organizations.

Organizationally bound objects

Compute Resources
Domains
Environments
Hostgroups
Installation Media
Smart Proxies

Organizations and Users

When organizations are enabled, Users (specifically, non-admins)
can

belong
to multiple organizations. If organizations are enabled, then
users

can
only see system objects in their organizations. If a user is
created

and
not granted access to any organizations, the user will not see any
organizationally bound objects. If a system object is created and
not
associated to any organizations, then no user will see the object
(not
even
those users who have no organization association).

Current Organization(s)

In single_org mode, if a user is associated with only one
organization,
that
organization becomes the user’s “current organization”. The
current

organization provides foreman with the correct context for scope
when

retrieving organizationally bound objects. If the user is
associated

with
multiple organizations, the user can select the current
organization

from an
organization drop down added to the topbar context. For the user
in

multiple organizations, the default current organization is
User.current.organizations.first.

When creating system objects in single_org mode, the user’s current
organization is automatically associated with the system object
being

created. For instance, when a user creates Domain “ABC” and has
Organization “X” currently selected. Domain “ABC” is automatically
associated with Organization “X”.

In multi_org mode, the current organizations is the list of
organizations
the user is associated with. The user will be able to see all the
object
associated to all of their organizations without having to select a
current
organization.

When creating system objects in multi_org mode, the user can select
to
add
the system object to any of their organizations via an
"Organizations"
tab
on the edit view.

Implementation

There are four key points of implementation:

enabling organizations
tracking current organization(s)
changes to views
updating the default_scope for model associations

Enabling organizations

The config/settings.yaml file contains two new settings:
single_org

and
multi_org. These settings are mutually exclusive. They can both
be

false,
but they can’t both be true. To enable organizations, the
installer

should
set either single_org or multi_org to true.

Enabling organizations will enable the routes for organizations as
well
as
enable queries based on organization associations.

I haven’t tested enabling organizations, using organizations, then
disabling
organizations.

Tracking current organization(s)

In single_org mode, the current organization is tracked similar to
the
current user; in a thread local variable. When a user (non-admin)
logs
in,
the first organization (User.current.organizations.first) is
selected

as
the
current organization. When the user changes the current
organization

using
the organization drop down, the thread local variable is updated.

In multi_org mode, the current organizations is always
User.current.organizations.

Changes to views

An organization tab has been added to the form for system objects
that
are
organizationally bound. Administrators use the multi-checkbox on
the

organizations tab to associated system objects to organizations.

Updating default_scope for model associations

In rails 3.0, the default_scope unnamed scope does not allow
lambdas

or
blocks. The default_scope is evaluated immediately upon definition
instead
of being evaluated at the time of SQL composition. (This has been
fixed
in
rails 3.1 and moving forward:
https://rails.lighthouseapp.com/projects/8994/tickets/1812-default
).

In
order to restrict queries for organizationally bound system
objects,

the
processing of default_scope needed to change to allow a lambda to
grab
the
currently selected organization(s) based on the current user. This
change
is implemented as an initializer monkey patch of
ActiveRecord::Base.current_scoped_methods.

The side effect of this monkey patch is that it’s not possible to
stack
default_scopes that use lambdas and non-lambdas. For
default_scopes

that
use lambdas, all the default scoping should be contained in the
lambda.

With lambdas available for default_scope, the model object
associations
are
fairly straightforward. The class method
Organization.apply_org_scope
will
scope the caller on its relationship with organizations through the
current
organization(s). Each model object for organizationally bound
system

objects has a default_scope definition that calls
Organization.apply_org_scope in addition to any previous default
scoping
that was applied before the organizations feature.

Open questions

What are other objects that should be organizationally bound?

puppet classes
hosts

How should user filters interact with organizational filtering?
When a user tries to create Domain “ABC” in Organization “X” and
Domain
"ABC" already exists in Organization “Y”, the user will receive an
error
saying that “ABC” already exists. However, the user cannot access
Domain
"ABC". How should the foreman deal with this situation?

indicate the that Domain already exists, but the user does not have
access
to the Domain in that organization?
alert administrators that a user tried to add Domain “ABC” to an
different
Organization, and that perhaps the admin needs to associate the
existing
"ABC" Domain with more orgs?
other ideas?

Should there be a “default organization” setting a user can select
that
sets
the default current organization for the user upon login?
Is there a better way to represent the config/settings.yaml
changes?

How do organizations and user groups coexist, if at all?
More questions?

Thanks!

---

Greg

Greg

---

Greg

From Ohad Levy:

org should also have default values, that we could remove the non app
related settings from the hostgroups

(I am merely reporting, I didn’t understand what he meant :-P)

From the wiki page:

should hosts belong to more than one org?

I am sure it would be very beneficial.
Just like you may need to manage them both by BusinessUnit, OS, type of
instance, and location,
you may want to allow different permissions to the same host to different
persons, each having one or more rights (granted by roles, onto orgs).

Thinking of whitelist and blacklist filters (the broken “plus all” and
"must be" select beside the filters):

It is similar to “granting” and “denying” filters.
If used as “granted actions MINUS denied actions”, with granted actions
being OR-ed together from the whitelist and denied actions being OR-ed
together too from the blacklist,
the denied actions will prevail and clobber everything else, being counter
productive and misleading.
If used a la Apache HTTPD, the previous would be similar to using “order
allow, deny” (granting no rights by default, adding the mentioned rights,
then removing the other mentioned rights).
If we use a “order deny, allow” approach, we would first grant all rights,
then restrict rights, then extend rights.
The fact that all rights are granted by default seems completely wrong and
dangerous, right restriction would be complex too.

This is why I proposed FilterExpression above, with AND/OR/XOR/NOT
capabilities.
As we plan on using search strings in filters, this would almost come for
free.

Cheers,

Olivier Favre
www.yakaz.com

Tel: +49 2203 989967-0
Fax: +49 2203 989967-9

http://www.solvention.de
mailto:info@solvention.de

From the wiki page:

should hosts belong to more than one org?

I am sure it would be very beneficial.
Just like you may need to manage them both by BusinessUnit, OS, type of
instance, and location,
you may want to allow different permissions to the same host to different
persons, each having one or more rights (granted by roles, onto orgs).

Thinking of whitelist and blacklist filters (the broken “plus all” and
"must be" select beside the filters):

It is similar to “granting” and “denying” filters.
If used as “granted actions MINUS denied actions”, with granted actions
being OR-ed together from the whitelist and denied actions being OR-ed
together too from the blacklist,
the denied actions will prevail and clobber everything else, being counter
productive and misleading.
If used a la Apache HTTPD, the previous would be similar to using “order
allow, deny” (granting no rights by default, adding the mentioned rights,
then removing the other mentioned rights).
If we use a “order deny, allow” approach, we would first grant all rights,
then restrict rights, then extend rights.
The fact that all rights are granted by default seems completely wrong and
dangerous, right restriction would be complex too.

This is why I proposed FilterExpression above, with AND/OR/XOR/NOT
capabilities.
As we plan on using search strings in filters, this would almost come for
free.

Cheers,

Olivier Favre
www.yakaz.com

Am 01.08.2012 18:42, schrieb Olivier Favre:

I don’t particularly like the name “Organization”, it makes me think of
companies rather than a physical/logical hierarchy/classification of
stuff. Organization Unit is too close to Business Unit too, IMHO.

Looking at synonyms of synonyms I suggest: grouping, structure,
arrangement, layout, component, bunch, element, part, bundle,
collection, gathering, ensemble, entity,
categorization/classification/combination/composition/division, fragment
Using composed words may help making things clearer.

What about “Data Center” or “Zone”?
If I have to explain why these are good names they probably aren’t good names. So I leave it uncommented

HTH

Regards,
Andreas

Solvention Ltd. & Co. KG
St.-Sebastianus-Str. 5
51147 Köln

Tel: +49 2203 989967-0
Fax: +49 2203 989967-9

http://www.solvention.de
mailto:info@solvention.de