[Engine-devel] Fwd: Adding users and assigning roles in Ovirt
Einav Cohen
ecohen at redhat.com
Tue Dec 3 20:42:44 UTC 2013
[moving discussion to the users mailing list]
while it seems that we all agree that adding some sort of a wizard
that will allow easy permission assignment to newly-added users, it
doesn't seem like something that can be accomplished soon (e.g. for
ovirt 3.4).
maybe we can utilize Ramesh's initial suggestion [1] for the short term -
allow assignment of *System* permissions in the context of the 'Add
User(s)' dialog [with an explicit clarification within the dialog that
we are talking about *System* permissions, so that the admin will be
aware that the privileges that he can assign in this context would be
very permissive]
any thoughts?
how extensively are system permissions used in oVirt in general?
[if adding a system permission is not a common/popular action, there
is no reason to expose it in the 'Add User(s)' dialog, since it will
probably be hardly used anyway]
maybe different ideas for short-term solutions?
----
Thanks,
Einav
[1] http://lists.ovirt.org/pipermail/engine-devel/2013-December/006059.html
----- Forwarded Message -----
From: "Yair Zaslavsky" <yzaslavs at redhat.com>
To: "Einav Cohen" <ecohen at redhat.com>
Cc: "Oved Ourfalli" <ovedo at redhat.com>, engine-devel at ovirt.org
Sent: Monday, December 2, 2013 4:09:10 PM
Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
----- Original Message -----
> From: "Einav Cohen" <ecohen at redhat.com>
> To: "Malini Rao" <mrao at redhat.com>
> Cc: "Oved Ourfalli" <ovedo at redhat.com>, engine-devel at ovirt.org
> Sent: Monday, December 2, 2013 9:55:45 PM
> Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
>
> > ----- Original Message -----
> > From: "Malini Rao" <mrao at redhat.com>
> > Sent: Monday, December 2, 2013 2:20:06 PM
> >
> > Joining in the thread a bit green but wouldn't it be ok to add the new user
> > with the most basic permissions by default ( may be just read only
> > permissions)until the admin goes and deliberately tweaks permissions or
> > assigns a role?
>
> this is similar to what Oved has suggested, but I think that it won't really
> make any difference, since there is very little chance, in my view, that
> these
> permissions would be sufficient for anything - the admin would need to assign
> additional/different permissions at some point anyway, so not much point in
> allowing that default minimal assignment in the first place - we might as
> well
> keep the 'Add User(s)' dialog as is.
>
> >
> > Also, if we add that roles drop down as Einav mentioned, isn't there a way
> > to
> > only show that drop down if the logged in user is an admin role?
>
> the logged in user must be an admin, as the 'Add User(s)' dialog (which is
> available from the Users main tab) exists only in the web-admin, which is
> accessible only to admins by definition.
>
> >
> > +1 on the user adding wizard. I think in general connecting related task
> > flows together will improve the overall UX too.
+1 here
>
> agreed.
>
> >
> > Thanks
> > Malini
> >
> > ----- Original Message -----
> > From: "Einav Cohen" <ecohen at redhat.com>
> > To: "Gilad Chaplik" <gchaplik at redhat.com>, "Ramesh" <rnachimu at redhat.com>,
> > "Oved Ourfalli" <ovedo at redhat.com>
> > Cc: engine-devel at ovirt.org
> > Sent: Monday, December 2, 2013 1:37:57 PM
> > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
> >
> > we should definitely not completely remove the possibility to add
> > permission-less users to the system,
> > due to possible use-cases as Gilad mentioned and/or simply to allow the
> > flexibility of adding the user
> > first, and only then adding the relevant (business entity and) permissions,
> > should the admin choose to
> > do so.
> >
> > the more correct location to add system permissions to a user would
> > probably
> > be a 'Add System Permission'
> > dialog that will be available from the Permissions sub-tab of the Users
> > main
> > tab, however it won't allow
> > to assign system permissions to several users at once, so I understand the
> > need for this ability within
> > the 'Add User(s)' dialog.
> >
> > I think that adding an "allow user to login" check-box would not be good
> > enough, since once a user
> > would be able to login, he won't be able to do (or even see) anything
> > (well,
> > other than the 'Blank'
> > Template, maybe), so the admin would need to assign additional permissions
> > to
> > this user anyway.
> > The minimal solution in my view is to add a "assign these users the
> > following
> > system permissions"
> > check-box, with a Roles drop down; as Gilad mentioned - need to be very
> > careful with that, as
> > system-wide permissions are powerful.
> > A more comprehensive solution (more complex for implementation) would
> > probably be, as Oved mentioned,
> > some sort of a user-adding-wizard, that will allow easy
> > permissions-assignment (maybe even not only
> > system-wide permissions) to the newly-added users.
> >
> > ----
> > Thanks,
> > Einav
> >
> > ----- Original Message -----
> > > From: "Gilad Chaplik" <gchaplik at redhat.com>
> > > To: "Oved Ourfalli" <ovedo at redhat.com>
> > > Cc: engine-devel at ovirt.org
> > > Sent: Monday, December 2, 2013 3:47:56 AM
> > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
> > >
> > > Hi Ramesh,
> > >
> > > You're right, I also think that the 'add users' is a bit pointless, but
> > > adding a system permission in that dialog can be dangerous (if admin
> > > doesn't
> > > fully understand what he's doing, and MLA is complicated enough ;-) ).
> > >
> > > Currently when adding a permission we can specify a AD-user (regardless
> > > to
> > > the fact he's added or not), So eventually power users can add users to
> > > the
> > > system.
> > > I can think of a case, that admins will want to manage the users by
> > > themselves, i.e- power users can add permissions for the added users
> > > only.
> > > this way this dialog can be useful.
> > >
> > > Thanks,
> > > Gilad.
> > >
> > > ----- Original Message -----
> > > > From: "Oved Ourfalli" <ovedo at redhat.com>
> > > > To: "Ramesh" <rnachimu at redhat.com>
> > > > Cc: engine-devel at ovirt.org
> > > > Sent: Monday, December 2, 2013 9:01:52 AM
> > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
> > > >
> > > > Your E-mail made me look a bit and check the different flows.
> > > >
> > > > I think the only use-case for adding users without giving any
> > > > permissions
> > > > is
> > > > when you add a user for notification reasons.
> > > > You can add a user, and then in the Event Notifier sub-tab define what
> > > > events
> > > > he will get via E-mail.
> > > > afaik (and I'm not an event notifier expert), this user doesn't have to
> > > > be
> > > > able to login, or to have permissions of any kind. He just gets events.
+1 - this is due to the fact a user has an email account - no need to login to ovirt-engine
in order to read your emails :)
> > > >
> > > > Other than that you're right. A user which is added to the system can't
> > > > do
> > > > much without assigning him roles.
> > > > I think adding roles assignment to this dialog may be a bit cumbersome.
> > > > Perhaps some wizard is required in that case. Or at least some checkbox
> > > > saying "allow user to login". That way the new user will be able to
> > > > login,
> > > > and he will have some default permissions as well (permissions granted
> > > > to
> > > > Everyone).
> > > >
> > > > Let's see what others think.
> > > >
> > > > Regards,
> > > > Oved
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Ramesh" <rnachimu at redhat.com>
> > > > > To: engine-devel at ovirt.org
> > > > > Sent: Monday, December 2, 2013 7:22:53 AM
> > > > > Subject: [Engine-devel] Adding users and assigning roles in Ovirt
> > > > >
> > > > > Hi All,
> > > > >
> > > > > We have 'Add' action under 'Users' main tab to add users in Ovirt
> > > > > .
> > > > > It looks slightly different from the "Add user" option of the
> > > > > Configure
> > > > > option. Actually, this one is missing the "Role to Assign" option. I
> > > > > think without assigning any role, adding a user is not meaningful and
> > > > > it
> > > > > didn't complete the flow.
> > > > >
> > > > > Currently to assign any role to the user, either we have to use
> > > > > 'Configure' option ( to add system permission) or we have to go to
> > > > > the
> > > > > specific entity and add permission for that entity. It will be nice
> > > > > if
> > > > > we can assign roles( system level permissions) while adding users in
> > > > > 'Users' tab itself. It will be a clear user flow where one can add
> > > > > user
> > > > > and assign role in the same place.
> > > > >
> > > > > I have attached both the screen shots.
> > > > >
> > > > > please share your thoughts.
> > > > >
> > > > > Regards,
> > > > > Ramesh
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Engine-devel mailing list
> > > > > Engine-devel at ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > > >
> > > > _______________________________________________
> > > > Engine-devel mailing list
> > > > Engine-devel at ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > >
> > > _______________________________________________
> > > Engine-devel mailing list
> > > Engine-devel at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > >
> > _______________________________________________
> > Engine-devel mailing list
> > Engine-devel at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > _______________________________________________
> > Engine-devel mailing list
> > Engine-devel at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/engine-devel
> >
> >
> >
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel
>
_______________________________________________
Engine-devel mailing list
Engine-devel at ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-devel
More information about the Devel
mailing list