----- Original Message -----
From: "Oved Ourfalli" <ovedo(a)redhat.com>
Sent: Wednesday, December 4, 2013 3:40:55 AM
----- Original Message -----
> From: "Einav Cohen" <ecohen(a)redhat.com>
> To: "Malini Rao" <mrao(a)redhat.com>, "Eldan Hildesheim"
> <ehildesh(a)redhat.com>, "Scott Herold" <sherold(a)redhat.com>,
> "Arthur Berezin" <aberezin(a)redhat.com>, "Yair Zaslavsky"
> <yzaslavs(a)redhat.com>, "Gilad Chaplik"
> <gchaplik(a)redhat.com>, "Oved Ourfalli" <ovedo(a)redhat.com>
> Cc: "Users(a)ovirt.org" <users(a)ovirt.org>
> Sent: Tuesday, December 3, 2013 10:42:44 PM
> Subject: [Engine-devel] Fwd: Adding users and assigning roles in Ovirt
>
> [moving discussion to the users mailing list]
>
> while it seems that we all agree that adding some sort of a wizard
> that will allow easy permission assignment to newly-added users, it
> doesn't seem like something that can be accomplished soon (e.g. for
> ovirt 3.4).
>
> maybe we can utilize Ramesh's initial suggestion [1] for the short term -
> allow assignment of *System* permissions in the context of the 'Add
> User(s)' dialog [with an explicit clarification within the dialog that
> we are talking about *System* permissions, so that the admin will be
> aware that the privileges that he can assign in this context would be
> very permissive]
>
> any thoughts?
> how extensively are system permissions used in oVirt in general?
> [if adding a system permission is not a common/popular action, there
> is no reason to expose it in the 'Add User(s)' dialog, since it will
> probably be hardly used anyway]
>
I guess that most users added in this dialog are "users" and not
"administrators", and even for administrators I'm not sure them all get
system permissions.
It may imply we think it is the best-practice with regards to permissions.
In addition, adding system permission in the "Configure" dialog allow you to
also add the user, as it shows you all the users in the directory, and not
just the ones that were previously added via the "add user" dialog, so I
think we should leave it as is for now, given this workaround to do both
operations in the same dialog.
+1 on that, very good points, Oved.
[if anyone objects to keeping things as-is *for the short term* - please share. thanks]
> maybe different ideas for short-term solutions?
>
> ----
> Thanks,
> Einav
>
>
> [1]
http://lists.ovirt.org/pipermail/engine-devel/2013-December/006059.html
>
>
> ----- Forwarded Message -----
> From: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
> To: "Einav Cohen" <ecohen(a)redhat.com>
> Cc: "Oved Ourfalli" <ovedo(a)redhat.com>, engine-devel(a)ovirt.org
> Sent: Monday, December 2, 2013 4:09:10 PM
> Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
>
>
>
> ----- Original Message -----
> > From: "Einav Cohen" <ecohen(a)redhat.com>
> > To: "Malini Rao" <mrao(a)redhat.com>
> > Cc: "Oved Ourfalli" <ovedo(a)redhat.com>, engine-devel(a)ovirt.org
> > Sent: Monday, December 2, 2013 9:55:45 PM
> > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
> >
> > > ----- Original Message -----
> > > From: "Malini Rao" <mrao(a)redhat.com>
> > > Sent: Monday, December 2, 2013 2:20:06 PM
> > >
> > > Joining in the thread a bit green but wouldn't it be ok to add the
new
> > > user
> > > with the most basic permissions by default ( may be just read only
> > > permissions)until the admin goes and deliberately tweaks permissions or
> > > assigns a role?
> >
> > this is similar to what Oved has suggested, but I think that it won't
> > really
> > make any difference, since there is very little chance, in my view, that
> > these
> > permissions would be sufficient for anything - the admin would need to
> > assign
> > additional/different permissions at some point anyway, so not much point
> > in
> > allowing that default minimal assignment in the first place - we might as
> > well
> > keep the 'Add User(s)' dialog as is.
> >
> > >
> > > Also, if we add that roles drop down as Einav mentioned, isn't there
a
> > > way
> > > to
> > > only show that drop down if the logged in user is an admin role?
> >
> > the logged in user must be an admin, as the 'Add User(s)' dialog
(which
> > is
> > available from the Users main tab) exists only in the web-admin, which is
> > accessible only to admins by definition.
> >
> > >
> > > +1 on the user adding wizard. I think in general connecting related
> > > task
> > > flows together will improve the overall UX too.
>
> +1 here
> >
> > agreed.
> >
> > >
> > > Thanks
> > > Malini
> > >
> > > ----- Original Message -----
> > > From: "Einav Cohen" <ecohen(a)redhat.com>
> > > To: "Gilad Chaplik" <gchaplik(a)redhat.com>,
"Ramesh"
> > > <rnachimu(a)redhat.com>,
> > > "Oved Ourfalli" <ovedo(a)redhat.com>
> > > Cc: engine-devel(a)ovirt.org
> > > Sent: Monday, December 2, 2013 1:37:57 PM
> > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
> > >
> > > we should definitely not completely remove the possibility to add
> > > permission-less users to the system,
> > > due to possible use-cases as Gilad mentioned and/or simply to allow the
> > > flexibility of adding the user
> > > first, and only then adding the relevant (business entity and)
> > > permissions,
> > > should the admin choose to
> > > do so.
> > >
> > > the more correct location to add system permissions to a user would
> > > probably
> > > be a 'Add System Permission'
> > > dialog that will be available from the Permissions sub-tab of the Users
> > > main
> > > tab, however it won't allow
> > > to assign system permissions to several users at once, so I understand
> > > the
> > > need for this ability within
> > > the 'Add User(s)' dialog.
> > >
> > > I think that adding an "allow user to login" check-box would not
be
> > > good
> > > enough, since once a user
> > > would be able to login, he won't be able to do (or even see) anything
> > > (well,
> > > other than the 'Blank'
> > > Template, maybe), so the admin would need to assign additional
> > > permissions
> > > to
> > > this user anyway.
> > > The minimal solution in my view is to add a "assign these users the
> > > following
> > > system permissions"
> > > check-box, with a Roles drop down; as Gilad mentioned - need to be very
> > > careful with that, as
> > > system-wide permissions are powerful.
> > > A more comprehensive solution (more complex for implementation) would
> > > probably be, as Oved mentioned,
> > > some sort of a user-adding-wizard, that will allow easy
> > > permissions-assignment (maybe even not only
> > > system-wide permissions) to the newly-added users.
> > >
> > > ----
> > > Thanks,
> > > Einav
> > >
> > > ----- Original Message -----
> > > > From: "Gilad Chaplik" <gchaplik(a)redhat.com>
> > > > To: "Oved Ourfalli" <ovedo(a)redhat.com>
> > > > Cc: engine-devel(a)ovirt.org
> > > > Sent: Monday, December 2, 2013 3:47:56 AM
> > > > Subject: Re: [Engine-devel] Adding users and assigning roles in
Ovirt
> > > >
> > > > Hi Ramesh,
> > > >
> > > > You're right, I also think that the 'add users' is a bit
pointless,
> > > > but
> > > > adding a system permission in that dialog can be dangerous (if admin
> > > > doesn't
> > > > fully understand what he's doing, and MLA is complicated enough
;-)
> > > > ).
> > > >
> > > > Currently when adding a permission we can specify a AD-user
> > > > (regardless
> > > > to
> > > > the fact he's added or not), So eventually power users can add
users
> > > > to
> > > > the
> > > > system.
> > > > I can think of a case, that admins will want to manage the users by
> > > > themselves, i.e- power users can add permissions for the added users
> > > > only.
> > > > this way this dialog can be useful.
> > > >
> > > > Thanks,
> > > > Gilad.
> > > >
> > > > ----- Original Message -----
> > > > > From: "Oved Ourfalli" <ovedo(a)redhat.com>
> > > > > To: "Ramesh" <rnachimu(a)redhat.com>
> > > > > Cc: engine-devel(a)ovirt.org
> > > > > Sent: Monday, December 2, 2013 9:01:52 AM
> > > > > Subject: Re: [Engine-devel] Adding users and assigning roles in
> > > > > Ovirt
> > > > >
> > > > > Your E-mail made me look a bit and check the different flows.
> > > > >
> > > > > I think the only use-case for adding users without giving any
> > > > > permissions
> > > > > is
> > > > > when you add a user for notification reasons.
> > > > > You can add a user, and then in the Event Notifier sub-tab
define
> > > > > what
> > > > > events
> > > > > he will get via E-mail.
> > > > > afaik (and I'm not an event notifier expert), this user
doesn't
> > > > > have
> > > > > to
> > > > > be
> > > > > able to login, or to have permissions of any kind. He just gets
> > > > > events.
>
> +1 - this is due to the fact a user has an email account - no need to login
> to ovirt-engine
> in order to read your emails :)
>
> > > > >
> > > > > Other than that you're right. A user which is added to the
system
> > > > > can't
> > > > > do
> > > > > much without assigning him roles.
> > > > > I think adding roles assignment to this dialog may be a bit
> > > > > cumbersome.
> > > > > Perhaps some wizard is required in that case. Or at least some
> > > > > checkbox
> > > > > saying "allow user to login". That way the new user
will be able to
> > > > > login,
> > > > > and he will have some default permissions as well (permissions
> > > > > granted
> > > > > to
> > > > > Everyone).
> > > > >
> > > > > Let's see what others think.
> > > > >
> > > > > Regards,
> > > > > Oved
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Ramesh" <rnachimu(a)redhat.com>
> > > > > > To: engine-devel(a)ovirt.org
> > > > > > Sent: Monday, December 2, 2013 7:22:53 AM
> > > > > > Subject: [Engine-devel] Adding users and assigning roles in
Ovirt
> > > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > We have 'Add' action under 'Users' main
tab to add users in
> > > > > > Ovirt
> > > > > > .
> > > > > > It looks slightly different from the "Add user"
option of the
> > > > > > Configure
> > > > > > option. Actually, this one is missing the "Role to
Assign"
> > > > > > option.
> > > > > > I
> > > > > > think without assigning any role, adding a user is not
meaningful
> > > > > > and
> > > > > > it
> > > > > > didn't complete the flow.
> > > > > >
> > > > > > Currently to assign any role to the user, either we have
to
> > > > > > use
> > > > > > 'Configure' option ( to add system permission) or
we have to go
> > > > > > to
> > > > > > the
> > > > > > specific entity and add permission for that entity. It will
be
> > > > > > nice
> > > > > > if
> > > > > > we can assign roles( system level permissions) while adding
users
> > > > > > in
> > > > > > 'Users' tab itself. It will be a clear user flow
where one can
> > > > > > add
> > > > > > user
> > > > > > and assign role in the same place.
> > > > > >
> > > > > > I have attached both the screen shots.
> > > > > >
> > > > > > please share your thoughts.
> > > > > >
> > > > > > Regards,
> > > > > > Ramesh
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Engine-devel mailing list
> > > > > > Engine-devel(a)ovirt.org
> > > > > >
http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > > > >
> > > > > _______________________________________________
> > > > > Engine-devel mailing list
> > > > > Engine-devel(a)ovirt.org
> > > > >
http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > > >
> > > > _______________________________________________
> > > > Engine-devel mailing list
> > > > Engine-devel(a)ovirt.org
> > > >
http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > >
> > > _______________________________________________
> > > Engine-devel mailing list
> > > Engine-devel(a)ovirt.org
> > >
http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > _______________________________________________
> > > Engine-devel mailing list
> > > Engine-devel(a)ovirt.org
> > >
http://lists.ovirt.org/mailman/listinfo/engine-devel
> > >
> > >
> > >
> > _______________________________________________
> > Engine-devel mailing list
> > Engine-devel(a)ovirt.org
> >
http://lists.ovirt.org/mailman/listinfo/engine-devel
> >
> _______________________________________________
> Engine-devel mailing list
> Engine-devel(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>
> _______________________________________________
> Engine-devel mailing list
> Engine-devel(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>