All,
We've merged a large chunk of the roles conversion to master with PRs to
quickly follow to clean-up and address other entities. If you pull master
you will need to migrate your database. A more detailed email will follow
once we have the final entity conversions in place.
Thanks,
Eric
I am looking at the various roles that are out there in a pre-configured
Foreman. Can I get a quick summary of the purpose of each? If I can
understand what is there, I can suggest how to add the katello
permissions into these existing roles.
Manager -> Seems like this person can do almost anything. This looks
like org admin excpet that this user can create new orgs.
Site manager -> Seems like this allows viewing alot of data, but
modifying configuration data and creating hosts. Is this your typical
sysadmin?
Edit Partition Tables -> This seems to be an add on to other roles to
just expose parition tables.
View hosts -> This seems to be an add on to other roles to just expose
viewing hosts.
Edit hosts -> This seems to be an add on to other roles to just expose
management of hosts.
Viewer -> The read only user
Default user -> I assume this is the "no roles assigned" case, and it
gives read only access to everything?
Anonymous -> ???
Can I assume, also, that the above view/create/etc filters only apply to
the orgs/locations which the user is assigned to?
Hello,
my comments below in text
> > All,
> >
> > We've merged a large chunk of the roles conversion to master with PRs to
> > quickly follow to clean-up and address other entities. If you pull
> > master you will need to migrate your database. A more detailed email
> > will follow once we have the final entity conversions in place.
> >
> > Thanks,
> > Eric
> >
> > –
> > You received this message because you are subscribed to the Google
> > Groups "foreman-dev" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to foreman-dev+unsubscribe@googlegroups.com
> > <mailto:foreman-dev+unsubscribe@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout.
>
> I am looking at the various roles that are out there in a pre-configured
> Foreman. Can I get a quick summary of the purpose of each? If I can
> understand what is there, I can suggest how to add the katello
> permissions into these existing roles.
>
> Manager -> Seems like this person can do almost anything. This looks
> like org admin excpet that this user can create new orgs.
>
> Site manager -> Seems like this allows viewing alot of data, but
> modifying configuration data and creating hosts. Is this your typical
> sysadmin?
>
> Edit Partition Tables -> This seems to be an add on to other roles to
> just expose parition tables.
>
> View hosts -> This seems to be an add on to other roles to just expose
> viewing hosts.
>
> Edit hosts -> This seems to be an add on to other roles to just expose
> management of hosts.
>
> Viewer -> The read only user
>
> Default user -> I assume this is the "no roles assigned" case, and it
> gives read only access to everything?
Foreman manual says
Default user: When a new Role is created this set of permissions are used as
the template for the Role. The name is somewhat misleading but basically an
ordinary default user who was assigned this Role would have these permissions
set.
So my understading is, that this is a template for new role.
> Anonymous -> ???
Definition
Anonymous: This is a set of permissions that every user at your installation
will be granted, irrespective of any other roles that they have.
So this on is a role, that is shared for all users in system and noone can
unassign it. You can modify permissions of this role according to your needs
(it can even grant no permission).
> Can I assume, also, that the above view/create/etc filters only apply to
> the orgs/locations which the user is assigned to?
Yes, although the role filters are global by default, the result is that user
can see only resources from his taxonomies (orgs/locs). This is not handled by
permission system, in fact when user is in specific context, only resources
from that context are displayed (including inheritance). So if you leave your
filters to be global they can be shared among all orgs. The major issue appears
when we assign user to more than one organization, which allows him to get in
'any organization' context, then he can see all resources from all orgs. Then
any does not mean just his organizations but really any. This is tracked in
Bug #2298: User in multiple Orgs gets 'Any Organization' option that really is any Org - Foreman without any clear resolution.
–
Marek