Roles & Permissions with orgs and locations

Support
1

I am really, really liking the RBAC (role based access control) as both a developer and a user. It has the granularity to really lock things down in good ways. There is, of course, some more work to do in hooking it up under the hood. The UI too is functional but gets slow to use for complex roles (the API is much better for manipulating roles at the moment).

One question I have is, would it make sense to move the organizations and locations up to the role level? Right now each filter has its relation to orgs and locations.

As a reminder, a Role has many Filters and each Filter has many Permissions.

From a user point of view, I am finding myself wishing to create Roles that are associated with organizations. For example, a role that allows editing of provisioning templates in organization Datacenter. To do this, I would add the Datacenter organization to each of the handful of filters for this role.

Instead, from an user interface perspective (either the web UI or the hammer CLI), I could add functionality that enforced that filters in a role all have the same organizations and locations. The data model under the hood would not necessarily even have to change; we could just implement this as a "best practice" through the UI and CLI. (We could, of course, change the data model too if desired.)

Are there some use cases where you'd want a single Role that would allow view_domains in organization A and edit_domains in organization B? (In my adjustment, that would be two roles, one for A and another for B.)

··· -- @thomasmckay


“The leader must aim high, see big, judge widely, thus setting himself apart form the ordinary people who debate in narrow confines.” ~ Charles De Gaulle

“Leadership is about making others better as a result of your presence and making sure that impact lasts in your absence.” ~ Harvard Business School

2

A better example that I am finding common is for an "Organization Admin." There are 40 or so filters[1] required to make an org admin. To create a new one is difficult but with moving the organization up to the role level it would reduce to: 1) Clone "Mega Corporation Admin" to "My Corp Admin", 2) Edit role and remove Mega Corporation and add My Corp to organizations list. Alternatively it could further reduce to: 1) Edit role and add My Corp, if you wanted to group orgs like that. Currently the steps would be 1) Clone "Mega Corporation Admin" to "My Corp Admin", 2) Edit Domain filter and change org, 3) …, 41) Edit Report filter and change org.

The utility could of course be added in the UI and CLI to "add/remove organization to all filters in a role". This would be equivalent to my idea above plus exposing the current filter association.

[1] https://github.com/Katello/hammer-cli-csv/blob/master/test/data/roles.csv
See the "Mega Corporation Admin" role

··· ----- Original Message ----- > > I am really, really liking the RBAC (role based access control) as both a > developer and a user. It has the granularity to really lock things down in > good ways. There is, of course, some more work to do in hooking it up under > the hood. The UI too is functional but gets slow to use for complex roles > (the API is much better for manipulating roles at the moment). > > One question I have is, would it make sense to move the organizations and > locations up to the role level? Right now each filter has its relation to > orgs and locations. > > As a reminder, a Role has many Filters and each Filter has many Permissions. > > From a user point of view, I am finding myself wishing to create Roles that > are associated with organizations. For example, a role that allows editing > of provisioning templates in organization Datacenter. To do this, I would > add the Datacenter organization to each of the handful of filters for this > role. > > Instead, from an user interface perspective (either the web UI or the hammer > CLI), I could add functionality that enforced that filters in a role all > have the same organizations and locations. The data model under the hood > would not necessarily even have to change; we could just implement this as a > "best practice" through the UI and CLI. (We could, of course, change the > data model too if desired.) > > Are there some use cases where you'd want a single Role that would allow > view_domains in organization A and edit_domains in organization B? (In my > adjustment, that would be two roles, one for A and another for B.) >