You mean 'packager role'. 1. Creat a collection name 'pkg USA servers' limited to 'all systems' 2. Create a scope, give it a generic name since it can be for many purpose. 3. Creat a new role to limit your 'action' permission. 4. Add user/group, add ONLY the scope and collection you created. 5. Select the built-in role or one you created.
In this scenario, the users would only have access to objects in 'pkg USA server' and collections limited to it. In essence, the collection 'pkg USA servers' can be empty, the user would have access to deploy but not objects would be affected. Cesar A. Meaning is NOT in words, but inside people! Dr. Myles Munroe. > On Feb 13, 2015, at 1:27 AM, Roland Janus <[email protected]> wrote: > > Actually I don’t know what you mean exactly with “scoped to an empty > collection”. > Can you elaborate? > > The goal is: > Allow deployment of applications only while they have the scope “packagers”. > Have read access to everything (basically), especially all applications. > > -roland > > > > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of CESAR.ABREG0 > Sent: Donnerstag, 12. Februar 2015 22:00 > To: [email protected] > Subject: Re: [mssms] RBAC: Deploy action linked to Collection not making sense > > Though I see your point. That would depends to the objects you scope the role > for. It can actually be scoped to an empty collection. > > Cesar A. > Meaning is NOT in words, but inside people! Dr. Myles Munroe. > > On Feb 12, 2015, at 12:51 PM, Roland Janus <[email protected]> wrote: > > I disagree. > Basically there is no useful method to prevent deploying any app as soon as > they have access to any collection especially considering packagers. > > > From: [email protected] [mailto:[email protected]] > On Behalf Of elsalvoz > Sent: Donnerstag, 12. Februar 2015 15:47 > To: [email protected] > Subject: Re: [mssms] RBAC: Deploy action linked to Collection not making sense > > Just went through that at latest gig. > > Those activities can only be executed onto collection. Kinda makes sense. > Cesar > > On Feb 12, 2015 12:27 AM, "Roland Janus" <[email protected]> wrote: > Have you noticed that the deploy and move action for an application is linked > to a collection instead of the application object itself? > > I have a packager role and a packager scope. There are also collections for > them and that’s the only thing they can touch. > Almost.. > > > > They can create apps, collections within their limits and deploy to them. > Once an admin changes the scope of a package, removes “packagers” leaving > “default”, there edit/delete etc. access is revoked. > But they still can “deploy”, because that action is linked to a collection > and not what would make sense to me to the application. > I mean the object to control is the application, not the collection, why > would “deploy” be part of an collection? > Shouldn’t deploy always be linked to the object to the deploy and not what to > deploy TO? So “deploy” for all classes (app, packages, settings etc.)? > Does that make sense to you? > > I could remove read only access, then they wouldn’t see it anymore, hence > can’t deploy, but I want them to be able to see live apps. > > Is there a way around that? > > -Roland > > > > > >
