[Users] [Engine-devel] Fwd: Adding users and assigning roles in Ovirt

Einav Cohen ecohen at redhat.com
Wed Dec 4 15:25:31 UTC 2013 

> ----- Original Message -----
> From: "Oved Ourfalli" <ovedo at redhat.com>
> Sent: Wednesday, December 4, 2013 3:40:55 AM
> 
> 
> 
> ----- Original Message -----
> > From: "Einav Cohen" <ecohen at redhat.com>
> > To: "Malini Rao" <mrao at redhat.com>, "Eldan Hildesheim"
> > <ehildesh at redhat.com>, "Scott Herold" <sherold at redhat.com>,
> > "Arthur Berezin" <aberezin at redhat.com>, "Yair Zaslavsky"
> > <yzaslavs at redhat.com>, "Gilad Chaplik"
> > <gchaplik at redhat.com>, "Oved Ourfalli" <ovedo at redhat.com>
> > Cc: "Users at ovirt.org" <users at ovirt.org>
> > Sent: Tuesday, December 3, 2013 10:42:44 PM
> > Subject: [Engine-devel] Fwd:  Adding users and assigning roles in Ovirt
> > 
> > [moving discussion to the users mailing list]
> > 
> > while it seems that we all agree that adding some sort of a wizard
> > that will allow easy permission assignment to newly-added users, it
> > doesn't seem like something that can be accomplished soon (e.g. for
> > ovirt 3.4).
> > 
> > maybe we can utilize Ramesh's initial suggestion [1] for the short term -
> > allow assignment of *System* permissions in the context of the 'Add
> > User(s)' dialog [with an explicit clarification within the dialog that
> > we are talking about *System* permissions, so that the admin will be
> > aware that the privileges that he can assign in this context would be
> > very permissive]
> > 
> > any thoughts?
> > how extensively are system permissions used in oVirt in general?
> > [if adding a system permission is not a common/popular action, there
> > is no reason to expose it in the 'Add User(s)' dialog, since it will
> > probably be hardly used anyway]
> > 
> 
> I guess that most users added in this dialog are "users" and not
> "administrators", and even for administrators I'm not sure them all get
> system permissions.
> It may imply we think it is the best-practice with regards to permissions.
> In addition, adding system permission in the "Configure" dialog allow you to
> also add the user, as it shows you all the users in the directory, and not
> just the ones that were previously added via the "add user" dialog, so I
> think we should leave it as is for now, given this workaround to do both
> operations in the same dialog.

+1 on that, very good points, Oved. 
[if anyone objects to keeping things as-is *for the short term* - please share. thanks]

> 
> 
> > maybe different ideas for short-term solutions?
> > 
> > ----
> > Thanks,
> > Einav
> > 
> > 
> > [1] http://lists.ovirt.org/pipermail/engine-devel/2013-December/006059.html
> > 
> > 
> > ----- Forwarded Message -----
> > From: "Yair Zaslavsky" <yzaslavs at redhat.com>
> > To: "Einav Cohen" <ecohen at redhat.com>
> > Cc: "Oved Ourfalli" <ovedo at redhat.com>, engine-devel at ovirt.org
> > Sent: Monday, December 2, 2013 4:09:10 PM
> > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Einav Cohen" <ecohen at redhat.com>
> > > To: "Malini Rao" <mrao at redhat.com>
> > > Cc: "Oved Ourfalli" <ovedo at redhat.com>, engine-devel at ovirt.org
> > > Sent: Monday, December 2, 2013 9:55:45 PM
> > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
> > > 
> > > > ----- Original Message -----
> > > > From: "Malini Rao" <mrao at redhat.com>
> > > > Sent: Monday, December 2, 2013 2:20:06 PM
> > > > 
> > > > Joining in the thread a bit green but wouldn't it be ok to add the new
> > > > user
> > > > with the most basic permissions by default ( may be just read only
> > > > permissions)until the admin goes and deliberately tweaks permissions or
> > > > assigns a role?
> > > 
> > > this is similar to what Oved has suggested, but I think that it won't
> > > really
> > > make any difference, since there is very little chance, in my view, that
> > > these
> > > permissions would be sufficient for anything - the admin would need to
> > > assign
> > > additional/different permissions at some point anyway, so not much point
> > > in
> > > allowing that default minimal assignment in the first place - we might as
> > > well
> > > keep the 'Add User(s)' dialog as is.
> > > 
> > > > 
> > > > Also, if we add that roles drop down as Einav mentioned, isn't there a
> > > > way
> > > > to
> > > > only show that drop down if the logged in user is an admin role?
> > > 
> > > the logged in user must be an admin, as the 'Add User(s)' dialog (which
> > > is
> > > available from the Users main tab) exists only in the web-admin, which is
> > > accessible only to admins by definition.
> > > 
> > > > 
> > > > +1 on the user adding wizard. I think in general connecting related
> > > > task
> > > > flows together will improve the overall UX too.
> > 
> > +1 here
> > > 
> > > agreed.
> > > 
> > > > 
> > > > Thanks
> > > > Malini
> > > > 
> > > > ----- Original Message -----
> > > > From: "Einav Cohen" <ecohen at redhat.com>
> > > > To: "Gilad Chaplik" <gchaplik at redhat.com>, "Ramesh"
> > > > <rnachimu at redhat.com>,
> > > > "Oved Ourfalli" <ovedo at redhat.com>
> > > > Cc: engine-devel at ovirt.org
> > > > Sent: Monday, December 2, 2013 1:37:57 PM
> > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
> > > > 
> > > > we should definitely not completely remove the possibility to add
> > > > permission-less users to the system,
> > > > due to possible use-cases as Gilad mentioned and/or simply to allow the
> > > > flexibility of adding the user
> > > > first, and only then adding the relevant (business entity and)
> > > > permissions,
> > > > should the admin choose to
> > > > do so.
> > > > 
> > > > the more correct location to add system permissions to a user would
> > > > probably
> > > > be a 'Add System Permission'
> > > > dialog that will be available from the Permissions sub-tab of the Users
> > > > main
> > > > tab, however it won't allow
> > > > to assign system permissions to several users at once, so I understand
> > > > the
> > > > need for this ability within
> > > > the 'Add User(s)' dialog.
> > > > 
> > > > I think that adding an "allow user to login" check-box would not be
> > > > good
> > > > enough, since once a user
> > > > would be able to login, he won't be able to do (or even see) anything
> > > > (well,
> > > > other than the 'Blank'
> > > > Template, maybe), so the admin would need to assign additional
> > > > permissions
> > > > to
> > > > this user anyway.
> > > > The minimal solution in my view is to add a "assign these users the
> > > > following
> > > > system permissions"
> > > > check-box, with a Roles drop down; as Gilad mentioned - need to be very
> > > > careful with that, as
> > > > system-wide permissions are powerful.
> > > > A more comprehensive solution (more complex for implementation) would
> > > > probably be, as Oved mentioned,
> > > > some sort of a user-adding-wizard, that will allow easy
> > > > permissions-assignment (maybe even not only
> > > > system-wide permissions) to the newly-added users.
> > > > 
> > > > ----
> > > > Thanks,
> > > > Einav
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Gilad Chaplik" <gchaplik at redhat.com>
> > > > > To: "Oved Ourfalli" <ovedo at redhat.com>
> > > > > Cc: engine-devel at ovirt.org
> > > > > Sent: Monday, December 2, 2013 3:47:56 AM
> > > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt
> > > > > 
> > > > > Hi Ramesh,
> > > > > 
> > > > > You're right, I also think that the 'add users' is a bit pointless,
> > > > > but
> > > > > adding a system permission in that dialog can be dangerous (if admin
> > > > > doesn't
> > > > > fully understand what he's doing, and MLA is complicated enough ;-)
> > > > > ).
> > > > > 
> > > > > Currently when adding a permission we can specify a AD-user
> > > > > (regardless
> > > > > to
> > > > > the fact he's added or not), So eventually power users can add users
> > > > > to
> > > > > the
> > > > > system.
> > > > > I can think of a case, that admins will want to manage the users by
> > > > > themselves, i.e- power users can add permissions for the added users
> > > > > only.
> > > > > this way this dialog can be useful.
> > > > > 
> > > > > Thanks,
> > > > > Gilad.
> > > > > 
> > > > > ----- Original Message -----
> > > > > > From: "Oved Ourfalli" <ovedo at redhat.com>
> > > > > > To: "Ramesh" <rnachimu at redhat.com>
> > > > > > Cc: engine-devel at ovirt.org
> > > > > > Sent: Monday, December 2, 2013 9:01:52 AM
> > > > > > Subject: Re: [Engine-devel] Adding users and assigning roles in
> > > > > > Ovirt
> > > > > > 
> > > > > > Your E-mail made me look a bit and check the different flows.
> > > > > > 
> > > > > > I think the only use-case for adding users without giving any
> > > > > > permissions
> > > > > > is
> > > > > > when you add a user for notification reasons.
> > > > > > You can add a user, and then in the Event Notifier sub-tab define
> > > > > > what
> > > > > > events
> > > > > > he will get via E-mail.
> > > > > > afaik (and I'm not an event notifier expert), this user doesn't
> > > > > > have
> > > > > > to
> > > > > > be
> > > > > > able to login, or to have permissions of any kind. He just gets
> > > > > > events.
> > 
> > +1 - this is due to the fact a user has an email account - no need to login
> > to ovirt-engine
> > in order to read your emails :)
> > 
> > > > > > 
> > > > > > Other than that you're right. A user which is added to the system
> > > > > > can't
> > > > > > do
> > > > > > much without assigning him roles.
> > > > > > I think adding roles assignment to this dialog may be a bit
> > > > > > cumbersome.
> > > > > > Perhaps some wizard is required in that case. Or at least some
> > > > > > checkbox
> > > > > > saying "allow user to login". That way the new user will be able to
> > > > > > login,
> > > > > > and he will have some default permissions as well (permissions
> > > > > > granted
> > > > > > to
> > > > > > Everyone).
> > > > > > 
> > > > > > Let's see what others think.
> > > > > > 
> > > > > > Regards,
> > > > > > Oved
> > > > > > 
> > > > > > 
> > > > > > ----- Original Message -----
> > > > > > > From: "Ramesh" <rnachimu at redhat.com>
> > > > > > > To: engine-devel at ovirt.org
> > > > > > > Sent: Monday, December 2, 2013 7:22:53 AM
> > > > > > > Subject: [Engine-devel] Adding users and assigning roles in Ovirt
> > > > > > > 
> > > > > > > Hi All,
> > > > > > > 
> > > > > > >    We have 'Add' action under 'Users' main tab to add users in
> > > > > > >    Ovirt
> > > > > > >    .
> > > > > > > It looks slightly different from the "Add user" option of the
> > > > > > > Configure
> > > > > > > option. Actually, this one is missing the "Role to Assign"
> > > > > > > option.
> > > > > > > I
> > > > > > > think without assigning any role, adding a user is not meaningful
> > > > > > > and
> > > > > > > it
> > > > > > > didn't complete the flow.
> > > > > > > 
> > > > > > >    Currently to assign any role to the user, either we have to
> > > > > > >    use
> > > > > > > 'Configure' option ( to add system permission) or we have to go
> > > > > > > to
> > > > > > > the
> > > > > > > specific entity and add permission for that entity. It will be
> > > > > > > nice
> > > > > > > if
> > > > > > > we can assign roles( system level permissions) while adding users
> > > > > > > in
> > > > > > > 'Users' tab itself. It will be a clear user flow where one can
> > > > > > > add
> > > > > > > user
> > > > > > > and assign role in the same place.
> > > > > > > 
> > > > > > > I have attached both the screen shots.
> > > > > > > 
> > > > > > > please share your thoughts.
> > > > > > > 
> > > > > > > Regards,
> > > > > > > Ramesh
> > > > > > > 
> > > > > > > 
> > > > > > > _______________________________________________
> > > > > > > Engine-devel mailing list
> > > > > > > Engine-devel at ovirt.org
> > > > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > > > > > 
> > > > > > _______________________________________________
> > > > > > Engine-devel mailing list
> > > > > > Engine-devel at ovirt.org
> > > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > > > > 
> > > > > _______________________________________________
> > > > > Engine-devel mailing list
> > > > > Engine-devel at ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > > > 
> > > > _______________________________________________
> > > > Engine-devel mailing list
> > > > Engine-devel at ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > > _______________________________________________
> > > > Engine-devel mailing list
> > > > Engine-devel at ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > > 
> > > > 
> > > > 
> > > _______________________________________________
> > > Engine-devel mailing list
> > > Engine-devel at ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > > 
> > _______________________________________________
> > Engine-devel mailing list
> > Engine-devel at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > 
> > _______________________________________________
> > Engine-devel mailing list
> > Engine-devel at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/engine-devel
> > 
>

More information about the Users mailing list