Hello after some work that has been done on Roles and Organization/Locations recently we realized that we tend to support very complicated feature. We allow delegate role editing permissions to non-admin users. When Organizations and Locations are also enabled, users and filters can be scoped to them too. With Foreman 1.13, this will be available for Roles as well.
Let's assume we have user scoped to Org A and B and he can edit roles. From his point of view when editing role Manager, he updates only permissions for these two orgs but since the role is global it could affect other orgs too. We could add some check that the user can only edit roles that are associated to same or less orgs as is his account. But there's another problem - no organization set actually means "any organization". So if user removes all org associations he or she would make it global so affecting all users. Again we could add some extra check for this case. There's also a permission for what organizations and locations user can assign which is automatically checked after each save so user should also have this permission for all organization he's assigned to. Another challenge is how to tell users that they can't edit this role because of reasons described above? We'd have to say "you can't edit this role because it's being used also elsewhere but we can't tell you where". Well if you understood all I've written so far maybe it's just my feeling, but I find all of this unnecessarily complicated. I saw other apps that only allowed roles modification to super admin users. Other users could still assign user accounts with existing roles but they couldn't modify the scope of these roles. Therefore my question, would simplification like this be considered problem for any Foreman user? Or can we let only admins edit roles and filters? Thanks for any feedback -- Marek -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
