Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 06/27/2014 07:27 PM, Petr Vobornik wrote: On 2.6.2014 15:59, Petr Vobornik wrote: Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. It would be great to get this into 4.0, resuming the discussion. My proposal which takes into account various other proposals: Identity (7) - Users - User Groups - Hosts - Host Groups - Netgroups - Services - Automember - User group rules - Host group rules Policy (5) - Host Based Access Control - HBAC Rules - HBAC Services - HBAC Service Groups - HBAC Test - Sudo - Sudo Rules - Sudo Commands - Sudo Command Groups - SELinux User Maps - Password Policies - Kerberos Ticket Policy Authentication (3-4) - Certificates - (future) User Certificates - OTP Tokens - RADIUS Servers Network services (2-3) - Automount - DNS - DNS Zones - DNS Forward Zones - DNS Global Configuration - (future) Vault IPA Server (5-7) - Role Based Access Control - Roles - Privileges - Permissions - Self Service Permissions - Delegations - ID Ranges - Realm Domain - (future) Replication Topology - Trusts - Trusts - Global Trust Configuration - (future) Views - Configuration (future) Help - Docs - API - ... Mostly it's a response to the last proposal: http://www.redhat.com/archives/freeipa-devel/2014-June/msg00107.html You can check live version at: http://pvoborni.fedorapeople.org/ui/ From the earlier discussion I would say, that there was an agreement on Identity and Policy tabs which are very similar to current implementation. Simo had a proposal to introduce Authentication tab in a future. I guess we can do it now. We already have radius server proxies and certificates are also related. It will solve the OTP doesn't fit anywhere problem I've kept the Network Services tab because IDK where to put DNS and Automount :) Simo's 'Directory' and 'Configuration' were merged into existing 'IPA server' with the difference that all RBAC related stuff is under one item (this option was mentioned by Petr3). Btw RBAC === Existing items in 'Directory'. The label is 'IPA Server' because almost everything is related to configuration of the server itself maybe with exception of Trust and Views. Label 'Configuration' is too general. Label Directory was quite low-level as pointed out by Dmitry. This merge allows us to add 'Help' in a future. It would be good to move something into Network services (and maybe rename it) since it has only two(three in future) items. Thanks for returning to this effort. 4.0 is indeed the right place to do this change. Note that with this proposal, Identity tab is already full. I would still prefer my original proposal to split Users and Hosts operations + have Infrastructure/Trusts tab (some variation of http://www.redhat.com/archives/freeipa-devel/2014-June/msg00060.html), but apparently this crowded Identity tab is what people want :) I would still recommend running it by UX. Few comments: - s/Network services/Network Services/ - Radius Proxy page returns an error, instead of 0 configured proxies Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
- Original Message - On 06/27/2014 07:27 PM, Petr Vobornik wrote: On 2.6.2014 15:59, Petr Vobornik wrote: Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. It would be great to get this into 4.0, resuming the discussion. My proposal which takes into account various other proposals: Identity (7) - Users - User Groups - Hosts - Host Groups - Netgroups - Services - Automember - User group rules - Host group rules Policy (5) - Host Based Access Control - HBAC Rules - HBAC Services - HBAC Service Groups - HBAC Test - Sudo - Sudo Rules - Sudo Commands - Sudo Command Groups - SELinux User Maps - Password Policies - Kerberos Ticket Policy Authentication (3-4) - Certificates - (future) User Certificates - OTP Tokens - RADIUS Servers Network services (2-3) - Automount - DNS - DNS Zones - DNS Forward Zones - DNS Global Configuration - (future) Vault IPA Server (5-7) - Role Based Access Control - Roles - Privileges - Permissions - Self Service Permissions - Delegations - ID Ranges - Realm Domain - (future) Replication Topology - Trusts - Trusts - Global Trust Configuration - (future) Views - Configuration (future) Help - Docs - API - ... Mostly it's a response to the last proposal: http://www.redhat.com/archives/freeipa-devel/2014-June/msg00107.html You can check live version at: http://pvoborni.fedorapeople.org/ui/ From the earlier discussion I would say, that there was an agreement on Identity and Policy tabs which are very similar to current implementation. Simo had a proposal to introduce Authentication tab in a future. I guess we can do it now. We already have radius server proxies and certificates are also related. It will solve the OTP doesn't fit anywhere problem I've kept the Network Services tab because IDK where to put DNS and Automount :) Simo's 'Directory' and 'Configuration' were merged into existing 'IPA server' with the difference that all RBAC related stuff is under one item (this option was mentioned by Petr3). Btw RBAC === Existing items in 'Directory'. The label is 'IPA Server' because almost everything is related to configuration of the server itself maybe with exception of Trust and Views. Label 'Configuration' is too general. Label Directory was quite low-level as pointed out by Dmitry. This merge allows us to add 'Help' in a future. It would be good to move something into Network services (and maybe rename it) since it has only two(three in future) items. Thanks for returning to this effort. 4.0 is indeed the right place to do this change. Note that with this proposal, Identity tab is already full. I would still prefer my original proposal to split Users and Hosts operations + have Infrastructure/Trusts tab (some variation of http://www.redhat.com/archives/freeipa-devel/2014-June/msg00060.html), but apparently this crowded Identity tab is what people want :) I would still recommend running it by UX. Been following the thread and the map Petr has put together here does a great job of categorizing these items. The ratio of level one to level two options is secondary to logical, intuitive groupings. I think the way Identity is here is fine. 7 options is just an average guide not the max number. I don't see the types of currency we manage increasing dramatically in the future. Even if we add four more options under Identity it should have little effect due to the logical groupings. The goal here is to not require users memorize tons of options because the top level bucket is too big or the label is to generic/specific. I think Petr has struck a great balance here. One comment - Is 'IPA Server' going to make sense in the downstream? May make sense to call it Identity Server which will make sense in both cases. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 2.6.2014 15:59, Petr Vobornik wrote: Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. It would be great to get this into 4.0, resuming the discussion. My proposal which takes into account various other proposals: Identity (7) - Users - User Groups - Hosts - Host Groups - Netgroups - Services - Automember - User group rules - Host group rules Policy (5) - Host Based Access Control - HBAC Rules - HBAC Services - HBAC Service Groups - HBAC Test - Sudo - Sudo Rules - Sudo Commands - Sudo Command Groups - SELinux User Maps - Password Policies - Kerberos Ticket Policy Authentication (3-4) - Certificates - (future) User Certificates - OTP Tokens - RADIUS Servers Network services (2-3) - Automount - DNS - DNS Zones - DNS Forward Zones - DNS Global Configuration - (future) Vault IPA Server (5-7) - Role Based Access Control - Roles - Privileges - Permissions - Self Service Permissions - Delegations - ID Ranges - Realm Domain - (future) Replication Topology - Trusts - Trusts - Global Trust Configuration - (future) Views - Configuration (future) Help - Docs - API - ... Mostly it's a response to the last proposal: http://www.redhat.com/archives/freeipa-devel/2014-June/msg00107.html You can check live version at: http://pvoborni.fedorapeople.org/ui/ From the earlier discussion I would say, that there was an agreement on Identity and Policy tabs which are very similar to current implementation. Simo had a proposal to introduce Authentication tab in a future. I guess we can do it now. We already have radius server proxies and certificates are also related. It will solve the OTP doesn't fit anywhere problem I've kept the Network Services tab because IDK where to put DNS and Automount :) Simo's 'Directory' and 'Configuration' were merged into existing 'IPA server' with the difference that all RBAC related stuff is under one item (this option was mentioned by Petr3). Btw RBAC === Existing items in 'Directory'. The label is 'IPA Server' because almost everything is related to configuration of the server itself maybe with exception of Trust and Views. Label 'Configuration' is too general. Label Directory was quite low-level as pointed out by Dmitry. This merge allows us to add 'Help' in a future. It would be good to move something into Network services (and maybe rename it) since it has only two(three in future) items. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On Mon, 2014-06-09 at 16:08 +0200, Petr Vobornik wrote: Accounts/Identity (7): - Users - Groups - Hosts - Host Groups - Netgroups - Services - Automember ^ These are all identity or identity-grouping related objects/actions +1 What are the chances that we will add some other identity to manage in a future? I am not foreseeing anything in the core, but we can move Automember under configuration is we want to. Directory (6): - Permissions - Privileges - Roles - Delegation NOTE: the 4 above can be merged into a single 'Authorization' entry perhaps May be it should be and Administration tab, I do not like the title. I understand where the directory comes from but this is IMo not intuitive for someone who does not know what is under the hood. - Replication Topology +1 that they should be together. They configure the tool and not data. Current IPA Server item name may be more suitable. Well this is not related to just the one server, but the whole set of servers. Maybe the plural IPA Servers ? - Views (future) ^ Everything that deals with direct LDAP access/view I think views do not belong here. They belong in the same place where the trusts are. Just a FYI: I do not think views and trust should be in the same place. Views will also be available for regular IPA server with no trusts, the 2 are not strictly related. Views IMO really belong here with other directory configuration items. Network Services (4): - Automount - DNS - CA - Vault (future) - Radius Server Proxies Isn't this strictly related to OTP ? I would put it in the same place. ^ All the additional network services or configuration of network related services +1 Configuration (3): - Trusts - ID Ranges - Realm Domains - Global - OTP Tokens ? ^ Anything that does not fit the above categories. +1 Docs: - whatever :) (*) The only doubt I have is about OTP Tokens, it may be worth taking them off Policies and putting them into a new tab which in future may also sport a pointer to user certificates management: Yeah, may be for now we put OTP as a top level for now and have tokens and create a RADIUS page to manage radius proxies? We already have RADIUS Servers menu item for Radius s. proxies. Martin forgot it in his proposal. In future when we add other credentials we can rename it and add smart card related options. Authentication: - OTP Tokens - User Certificates (future) With Documentation, Authentication would be the 7th top level item. Ideal number of top level items is about 5-6. Because we have to fit into 768px (minimum screen size before it's switched to compact menu). Why the minimum is 768 ? Maybe we can drop Documentation from the top level ? Or make it really small by using a ? as the menu symbol ? :) Maybe we should stop using full names but instead get a set of icons that represent each item and have the name only as a tooltip ? This way the first level menu bar sizing would be consistent regardless of the language. This functionality is provided by PatternFly. Also take into considerations that languages such as Spanish have much longer expressions. Yeah maybe we should just avoid names here and use icons+tooltips/hover instead. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 9.6.2014 16:42, Simo Sorce wrote: On Mon, 2014-06-09 at 16:08 +0200, Petr Vobornik wrote: Accounts/Identity (7): - Users - Groups - Hosts - Host Groups - Netgroups - Services - Automember ^ These are all identity or identity-grouping related objects/actions +1 What are the chances that we will add some other identity to manage in a future? I am not foreseeing anything in the core, but we can move Automember under configuration is we want to. Directory (6): - Permissions - Privileges - Roles - Delegation NOTE: the 4 above can be merged into a single 'Authorization' entry perhaps May be it should be and Administration tab, I do not like the title. I understand where the directory comes from but this is IMo not intuitive for someone who does not know what is under the hood. - Replication Topology +1 that they should be together. They configure the tool and not data. Current IPA Server item name may be more suitable. Well this is not related to just the one server, but the whole set of servers. Maybe the plural IPA Servers ? - Views (future) ^ Everything that deals with direct LDAP access/view I think views do not belong here. They belong in the same place where the trusts are. Just a FYI: I do not think views and trust should be in the same place. Views will also be available for regular IPA server with no trusts, the 2 are not strictly related. Views IMO really belong here with other directory configuration items. Network Services (4): - Automount - DNS - CA - Vault (future) - Radius Server Proxies Isn't this strictly related to OTP ? I would put it in the same place. ^ All the additional network services or configuration of network related services +1 Configuration (3): - Trusts - ID Ranges - Realm Domains - Global - OTP Tokens ? ^ Anything that does not fit the above categories. +1 Docs: - whatever :) (*) The only doubt I have is about OTP Tokens, it may be worth taking them off Policies and putting them into a new tab which in future may also sport a pointer to user certificates management: Yeah, may be for now we put OTP as a top level for now and have tokens and create a RADIUS page to manage radius proxies? We already have RADIUS Servers menu item for Radius s. proxies. Martin forgot it in his proposal. In future when we add other credentials we can rename it and add smart card related options. Authentication: - OTP Tokens - User Certificates (future) With Documentation, Authentication would be the 7th top level item. Ideal number of top level items is about 5-6. Because we have to fit into 768px (minimum screen size before it's switched to compact menu). Why the minimum is 768 ? It's Bootstrap's minimum width of a small device(tablet). Navbar's collapse threshold (@grid-float-breakpoint) is set to this value by default. It's possible to increase it but I don't think it's the best approach - collapsed menu is harder to use. It can be solved in different manner but it requires additional work. Maybe we can drop Documentation from the top level ? Or make it really small by using a ? as the menu symbol ? :) I like this. Maybe we should stop using full names but instead get a set of icons that represent each item and have the name only as a tooltip ? This way the first level menu bar sizing would be consistent regardless of the language. It would solve the issue, but we should be consistent with other projects as well. Also, it would require very good icons. I'm afraid that it would be harder to use for newcomers. But probably better for experienced users. Kyle what's your take? This functionality is provided by PatternFly. Also take into considerations that languages such as Spanish have much longer expressions. Yeah maybe we should just avoid names here and use icons+tooltips/hover instead. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
- Original Message - On 9.6.2014 16:42, Simo Sorce wrote: On Mon, 2014-06-09 at 16:08 +0200, Petr Vobornik wrote: Accounts/Identity (7): - Users - Groups - Hosts - Host Groups - Netgroups - Services - Automember ^ These are all identity or identity-grouping related objects/actions +1 What are the chances that we will add some other identity to manage in a future? I am not foreseeing anything in the core, but we can move Automember under configuration is we want to. Directory (6): - Permissions - Privileges - Roles - Delegation NOTE: the 4 above can be merged into a single 'Authorization' entry perhaps May be it should be and Administration tab, I do not like the title. I understand where the directory comes from but this is IMo not intuitive for someone who does not know what is under the hood. - Replication Topology +1 that they should be together. They configure the tool and not data. Current IPA Server item name may be more suitable. Well this is not related to just the one server, but the whole set of servers. Maybe the plural IPA Servers ? - Views (future) ^ Everything that deals with direct LDAP access/view I think views do not belong here. They belong in the same place where the trusts are. Just a FYI: I do not think views and trust should be in the same place. Views will also be available for regular IPA server with no trusts, the 2 are not strictly related. Views IMO really belong here with other directory configuration items. Network Services (4): - Automount - DNS - CA - Vault (future) - Radius Server Proxies Isn't this strictly related to OTP ? I would put it in the same place. ^ All the additional network services or configuration of network related services +1 Configuration (3): - Trusts - ID Ranges - Realm Domains - Global - OTP Tokens ? ^ Anything that does not fit the above categories. +1 Docs: - whatever :) (*) The only doubt I have is about OTP Tokens, it may be worth taking them off Policies and putting them into a new tab which in future may also sport a pointer to user certificates management: Yeah, may be for now we put OTP as a top level for now and have tokens and create a RADIUS page to manage radius proxies? We already have RADIUS Servers menu item for Radius s. proxies. Martin forgot it in his proposal. In future when we add other credentials we can rename it and add smart card related options. Authentication: - OTP Tokens - User Certificates (future) With Documentation, Authentication would be the 7th top level item. Ideal number of top level items is about 5-6. Because we have to fit into 768px (minimum screen size before it's switched to compact menu). Why the minimum is 768 ? It's Bootstrap's minimum width of a small device(tablet). Navbar's collapse threshold (@grid-float-breakpoint) is set to this value by default. It's possible to increase it but I don't think it's the best approach - collapsed menu is harder to use. It can be solved in different manner but it requires additional work. Maybe we can drop Documentation from the top level ? Or make it really small by using a ? as the menu symbol ? :) I like this. Maybe we should stop using full names but instead get a set of icons that represent each item and have the name only as a tooltip ? This way the first level menu bar sizing would be consistent regardless of the language. It would solve the issue, but we should be consistent with other projects as well. Also, it would require very good icons. I'm afraid that it would be harder to use for newcomers. But probably better for experienced users. Kyle what's your take? Icons which represent anything outside of common actions prove to be difficult to recognize for new or experienced users - depending on the amount. I think this concern would better be served by collapsing the top level to less options. Things related to administration of the tool like documentation could live on the top right near the login. This should be treated differently as it is not a currency a tool manages, but an app utility. It is okay if the top level collapses at the 768 width. This is the desired functionality for tablet size. Generally if we have no more than 7 words at the top level we should be fine. This functionality is provided by PatternFly. Also take into considerations that languages such as Spanish have much longer expressions. Yeah maybe we should just avoid names here and use icons+tooltips/hover instead. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 06/04/2014 04:10 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 20:52 +0200, Martin Kosek wrote: On 06/04/2014 05:35 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 08:44 +0200, Martin Kosek wrote: On 06/04/2014 08:34 AM, Martin Kosek wrote: ... Users - Users - Groups - SUDO Hosts - Hosts - Host groups - Services - Netgroups - Automount Authentication - OTP Tokens - Password Policy - Kerberos Ticket Policy Policy - HBAC - SELinux User Maps - Automember Alternatively, we could rename Policy to Authorization as both HBAC and SELinux is about authorizing what an authenticated user can do. We would just need to move Automember to different place, though this one is difficult - it relates both to Users and Hosts, just like Netgroup. I do not see the need to do Policy - Authorization but Automember is in the wrong place imo. The first tab should be Users - Accounts and include automember in it as automember is about groupings ? Actually I would merge the current Users and Hosts tabs into 'Accounts' (or maybe 'Identities' ?) and add Automember. Simo. Automember is about grouping both users and hosts. I put it under Policy originally as it basically is a policy, when are certain users/hosts automember'ed. I would personally not merge Users and Hosts top level menus to one top level menu as that would spoil the whole reason why this effort is done, i.e. have at most 7 items in the second level bar to make things clearer. To me, it seemed a good idea to split Users and Hosts to achieve the target as it separates well the intent what one wants to do. Now we have it all under Identity (including DNS and Realm Domains) which is messy. Unfortunately some of your groupings make little sense to me: - why is SUDO under Users ?? It's a security policy and those policies are equally related to users, groups and hosts. - why policies are under authentication ? Both password policies and Kerberos Ticket policies have nothing to do with the authentication part, but with changing password and with which features are allowed on tickets. - why automember is in Policy ? It is just autoconfiguration it doesn't enforce any policy on its own But I am pretty open to counter-proposals which keeps the UX requirement of 7 second level items. Martin This is how it makes sense to me as a logical grouping: Accounts/Identity (7): - Users - Groups - Hosts - Host Groups - Netgroups - Services - Automember ^ These are all identity or identity-grouping related objects/actions +1 Policies (6): - Sudo - HBAC - SELinux User Maps - OTP Tokens (*) - Password Policies - Kerberos ticket Policies ^ These are all Security Policies an admin cares about +1, with the note, i.e. OTP does not belong there Directory (6): - Permissions - Privileges - Roles - Delegation NOTE: the 4 above can be merged into a single 'Authorization' entry perhaps May be it should be and Administration tab, I do not like the title. I understand where the directory comes from but this is IMo not intuitive for someone who does not know what is under the hood. - Replication Topology - Views (future) ^ Everything that deals with direct LDAP access/view I think views do not belong here. They belong in the same place where the trusts are. Network Services (4): - Automount - DNS - CA - Vault (future) ^ All the additional network services or configuration of network related services +1 Configuration (3): - Trusts - ID Ranges - Realm Domains - Global ^ Anything that does not fit the above categories. +1 Docs: - whatever :) (*) The only doubt I have is about OTP Tokens, it may be worth taking them off Policies and putting them into a new tab which in future may also sport a pointer to user certificates management: Yeah, may be for now we put OTP as a top level for now and have tokens and create a RADIUS page to manage radius proxies? In future when we add other credentials we can rename it and add smart card related options. Authentication: - OTP Tokens - User Certificates (future) HTH, Simo. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 06/04/2014 08:34 AM, Martin Kosek wrote: ... Users - Users - Groups - SUDO Hosts - Hosts - Host groups - Services - Netgroups - Automount Authentication - OTP Tokens - Password Policy - Kerberos Ticket Policy Policy - HBAC - SELinux User Maps - Automember Alternatively, we could rename Policy to Authorization as both HBAC and SELinux is about authorizing what an authenticated user can do. We would just need to move Automember to different place, though this one is difficult - it relates both to Users and Hosts, just like Netgroup. Trusts - Trust configuration - Trusts - (future) Views Infrastructure - Certificates - DNS - (future) Replication topology - (future) Vault Configuration - Global - Access Control (RBAC) - Realm Domains - ID Ranges Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 4.6.2014 08:44, Martin Kosek wrote: On 06/04/2014 08:34 AM, Martin Kosek wrote: ... This is really good proposal! Scroll down to see three nit picks: Users - Users - Groups - SUDO Hosts - Hosts - Host groups - Services - Netgroups - Automount Authentication - OTP Tokens - Password Policy - Kerberos Ticket Policy Policy - HBAC - SELinux User Maps - Automember Alternatively, we could rename Policy to Authorization as both HBAC and SELinux is about authorizing what an authenticated user can do. We would just need to move Automember to different place, though this one is difficult - it relates both to Users and Hosts, just like Netgroup. Trusts - Trust configuration - Trusts - (future) Views Infrastructure - Certificates ^^^ I would like to see this under Authentication. Nowaways it is used to authenticate machines and it will be extended to user authentication as soon as Smart Card support is added. - DNS - (future) Replication topology ^^^ Personally, I would place it under IPA Configuration. - (future) Vault ^^^ Why is Vault under Infrastructure? It sounds like Authentication to me. It is meant to store plain-text passwords etc., no? It seems that I'm proposing to reduce Infrastructure to DNS. We can move DNS somewhere or make DNS top-level item until we get DHCP or something similar. This also opens the question if DNS management is really the right business for us :-) I'm personally not sure :-) Configuration ^^^ Can it be IPA configuration or something like that? Just Configuration seems too vague to me. After all, everything in the UI is some kind of configuration :-) - Global - Access Control (RBAC) - Realm Domains - ID Ranges -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 4.6.2014 09:37, Petr Spacek wrote: On 4.6.2014 08:44, Martin Kosek wrote: On 06/04/2014 08:34 AM, Martin Kosek wrote: ... This is really good proposal! Scroll down to see three nit picks: Users - Users - Groups - SUDO Hosts - Hosts - Host groups - Services - Netgroups - Automount Authentication - OTP Tokens - Password Policy - Kerberos Ticket Policy Policy - HBAC - SELinux User Maps - Automember Alternatively, we could rename Policy to Authorization as both HBAC and SELinux is about authorizing what an authenticated user can do. We would just need to move Automember to different place, though this one is difficult - it relates both to Users and Hosts, just like Netgroup. Trusts - Trust configuration - Trusts - (future) Views Infrastructure - Certificates ^^^ I would like to see this under Authentication. Nowaways it is used to authenticate machines and it will be extended to user authentication as soon as Smart Card support is added. - DNS - (future) Replication topology ^^^ Personally, I would place it under IPA Configuration. - (future) Vault ^^^ Why is Vault under Infrastructure? It sounds like Authentication to me. It is meant to store plain-text passwords etc., no? It seems that I'm proposing to reduce Infrastructure to DNS. We can move DNS somewhere or make DNS top-level item until we get DHCP or something similar. I would rather avoid having a temporary top-level item. This also opens the question if DNS management is really the right business for us :-) I'm personally not sure :-) Configuration ^^^ Can it be IPA configuration or something like that? Just Configuration seems too vague to me. After all, everything in the UI is some kind of configuration :-) We can leave the old IPA Server name. I agree that Replication topology could be here because it configures the tool and not the data, similar to other items under this category. But I think that many users would try to find it in infrastructure. - Global - Access Control (RBAC) - Realm Domains - ID Ranges -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 4.6.2014 09:55, Petr Vobornik wrote: On 4.6.2014 09:37, Petr Spacek wrote: On 4.6.2014 08:44, Martin Kosek wrote: On 06/04/2014 08:34 AM, Martin Kosek wrote: ... This is really good proposal! Scroll down to see three nit picks: Users - Users - Groups - SUDO Hosts - Hosts - Host groups - Services - Netgroups - Automount Authentication - OTP Tokens - Password Policy - Kerberos Ticket Policy Policy - HBAC - SELinux User Maps - Automember Alternatively, we could rename Policy to Authorization as both HBAC and SELinux is about authorizing what an authenticated user can do. We would just need to move Automember to different place, though this one is difficult - it relates both to Users and Hosts, just like Netgroup. Trusts - Trust configuration - Trusts - (future) Views Infrastructure - Certificates ^^^ I would like to see this under Authentication. Nowaways it is used to authenticate machines and it will be extended to user authentication as soon as Smart Card support is added. - DNS - (future) Replication topology ^^^ Personally, I would place it under IPA Configuration. - (future) Vault ^^^ Why is Vault under Infrastructure? It sounds like Authentication to me. It is meant to store plain-text passwords etc., no? It seems that I'm proposing to reduce Infrastructure to DNS. We can move DNS somewhere or make DNS top-level item until we get DHCP or something similar. I would rather avoid having a temporary top-level item. Temporary ~ years in this case. Is it good enough? :-) I personally don't like categories with one item in them, it seems ridiculous. Look at Time menu in OrangeHRM :-) You have to go through it just to click to the only option inside. Ridiculous. This also opens the question if DNS management is really the right business for us :-) I'm personally not sure :-) Configuration ^^^ Can it be IPA configuration or something like that? Just Configuration seems too vague to me. After all, everything in the UI is some kind of configuration :-) We can leave the old IPA Server name. I agree that Replication topology could be here because it configures the tool and not the data, similar to other items under this category. But I think that many users would try to find it in infrastructure. My point is that distinction between Infrastructure and IPA server or it's configuration is really vague. I'm worried that people (or at least I) will always look in the wrong category first which makes me unhappy. - Global - Access Control (RBAC) BTW can we clarify somehow that this applies purely to IPA? Maybe IPA Server category will make it clear enough... - Realm Domains - ID Ranges -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On Wed, 2014-06-04 at 08:44 +0200, Martin Kosek wrote: On 06/04/2014 08:34 AM, Martin Kosek wrote: ... Users - Users - Groups - SUDO Hosts - Hosts - Host groups - Services - Netgroups - Automount Authentication - OTP Tokens - Password Policy - Kerberos Ticket Policy Policy - HBAC - SELinux User Maps - Automember Alternatively, we could rename Policy to Authorization as both HBAC and SELinux is about authorizing what an authenticated user can do. We would just need to move Automember to different place, though this one is difficult - it relates both to Users and Hosts, just like Netgroup. I do not see the need to do Policy - Authorization but Automember is in the wrong place imo. The first tab should be Users - Accounts and include automember in it as automember is about groupings ? Actually I would merge the current Users and Hosts tabs into 'Accounts' (or maybe 'Identities' ?) and add Automember. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 06/04/2014 05:35 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 08:44 +0200, Martin Kosek wrote: On 06/04/2014 08:34 AM, Martin Kosek wrote: ... Users - Users - Groups - SUDO Hosts - Hosts - Host groups - Services - Netgroups - Automount Authentication - OTP Tokens - Password Policy - Kerberos Ticket Policy Policy - HBAC - SELinux User Maps - Automember Alternatively, we could rename Policy to Authorization as both HBAC and SELinux is about authorizing what an authenticated user can do. We would just need to move Automember to different place, though this one is difficult - it relates both to Users and Hosts, just like Netgroup. I do not see the need to do Policy - Authorization but Automember is in the wrong place imo. The first tab should be Users - Accounts and include automember in it as automember is about groupings ? Actually I would merge the current Users and Hosts tabs into 'Accounts' (or maybe 'Identities' ?) and add Automember. Simo. Automember is about grouping both users and hosts. I put it under Policy originally as it basically is a policy, when are certain users/hosts automember'ed. I would personally not merge Users and Hosts top level menus to one top level menu as that would spoil the whole reason why this effort is done, i.e. have at most 7 items in the second level bar to make things clearer. To me, it seemed a good idea to split Users and Hosts to achieve the target as it separates well the intent what one wants to do. Now we have it all under Identity (including DNS and Realm Domains) which is messy. But I am pretty open to counter-proposals which keeps the UX requirement of 7 second level items. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On Wed, 2014-06-04 at 20:52 +0200, Martin Kosek wrote: On 06/04/2014 05:35 PM, Simo Sorce wrote: On Wed, 2014-06-04 at 08:44 +0200, Martin Kosek wrote: On 06/04/2014 08:34 AM, Martin Kosek wrote: ... Users - Users - Groups - SUDO Hosts - Hosts - Host groups - Services - Netgroups - Automount Authentication - OTP Tokens - Password Policy - Kerberos Ticket Policy Policy - HBAC - SELinux User Maps - Automember Alternatively, we could rename Policy to Authorization as both HBAC and SELinux is about authorizing what an authenticated user can do. We would just need to move Automember to different place, though this one is difficult - it relates both to Users and Hosts, just like Netgroup. I do not see the need to do Policy - Authorization but Automember is in the wrong place imo. The first tab should be Users - Accounts and include automember in it as automember is about groupings ? Actually I would merge the current Users and Hosts tabs into 'Accounts' (or maybe 'Identities' ?) and add Automember. Simo. Automember is about grouping both users and hosts. I put it under Policy originally as it basically is a policy, when are certain users/hosts automember'ed. I would personally not merge Users and Hosts top level menus to one top level menu as that would spoil the whole reason why this effort is done, i.e. have at most 7 items in the second level bar to make things clearer. To me, it seemed a good idea to split Users and Hosts to achieve the target as it separates well the intent what one wants to do. Now we have it all under Identity (including DNS and Realm Domains) which is messy. Unfortunately some of your groupings make little sense to me: - why is SUDO under Users ?? It's a security policy and those policies are equally related to users, groups and hosts. - why policies are under authentication ? Both password policies and Kerberos Ticket policies have nothing to do with the authentication part, but with changing password and with which features are allowed on tickets. - why automember is in Policy ? It is just autoconfiguration it doesn't enforce any policy on its own But I am pretty open to counter-proposals which keeps the UX requirement of 7 second level items. Martin This is how it makes sense to me as a logical grouping: Accounts/Identity (7): - Users - Groups - Hosts - Host Groups - Netgroups - Services - Automember ^ These are all identity or identity-grouping related objects/actions Policies (6): - Sudo - HBAC - SELinux User Maps - OTP Tokens (*) - Password Policies - Kerberos ticket Policies ^ These are all Security Policies an admin cares about Directory (6): - Permissions - Privileges - Roles - Delegation NOTE: the 4 above can be merged into a single 'Authorization' entry perhaps - Replication Topology - Views (future) ^ Everything that deals with direct LDAP access/view Network Services (4): - Automount - DNS - CA - Vault (future) ^ All the additional network services or configuration of network related services Configuration (3): - Trusts - ID Ranges - Realm Domains - Global ^ Anything that does not fit the above categories. Docs: - whatever :) (*) The only doubt I have is about OTP Tokens, it may be worth taking them off Policies and putting them into a new tab which in future may also sport a pointer to user certificates management: Authentication: - OTP Tokens - User Certificates (future) HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 06/02/2014 03:59 PM, Petr Vobornik wrote: Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. Initial Draft: Identity (6) - Users - Groups - Hosts - Hostgroups - Netgroups - Services ok, though I have different division in mind. Policy (5) some better name? - HBAC - SUDO - Automount - Automember - SELinux User Maps I am not sure about Automount, SUDO and Automember as they are not so about policy related to users but rather about central storage for native Linux services - similarly to DNS. Authentication (4) - Radius Server Proxy - OTP Tokens - Password Policy - Kerberos Ticket Policy Hm, Policy is indeed strange. Infrastructure (6) some better name? - DNS - Realm Domains - Trust - Views - ID Ranges - Certificates Permissions (3) - Role Based Access Control - Self Service Permissions - Delegation Configuration (1) - Global Let me twist your proposal a bit and come to it from different way, i.e. thinking about what admin wants to do. If he wants to set up a user, he should not need to go to 2 different top level items. Users - Users - Groups - OTP Tokens - Password Policy - Automember Hosts - Hosts - Host groups - Netgroups - HBAC - SELinux User Maps Services - Services - SUDO - Automount Trusts - (future) Views - Trust configuration - Trusts Infrastructure - Certificates - DNS - Realm Domains - Kerberos Ticket Policy - (future) Replication topology Configuration - Global - RBAC - ID Ranges Does that make sense? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 3.6.2014 09:54, Martin Kosek wrote: On 06/02/2014 03:59 PM, Petr Vobornik wrote: Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. Initial Draft: Identity (6) - Users - Groups - Hosts - Hostgroups - Netgroups - Services ok, though I have different division in mind. Policy (5) some better name? - HBAC - SUDO - Automount - Automember - SELinux User Maps I am not sure about Automount, SUDO and Automember as they are not so about policy related to users but rather about central storage for native Linux services - similarly to DNS. Authentication (4) - Radius Server Proxy - OTP Tokens - Password Policy - Kerberos Ticket Policy Hm, Policy is indeed strange. Infrastructure (6) some better name? - DNS - Realm Domains - Trust - Views - ID Ranges - Certificates Permissions (3) - Role Based Access Control - Self Service Permissions - Delegation Configuration (1) - Global Let me twist your proposal a bit and come to it from different way, i.e. thinking about what admin wants to do. If he wants to set up a user, he should not need to go to 2 different top level items. Users - Users - Groups - OTP Tokens - Password Policy - Automember Hosts - Hosts - Host groups - Netgroups - HBAC - SELinux User Maps Services - Services - SUDO - Automount Trusts - (future) Views - Trust configuration - Trusts Infrastructure - Certificates - DNS - Realm Domains - Kerberos Ticket Policy - (future) Replication topology Configuration - Global - RBAC - ID Ranges Does that make sense? This seems reasolable. Couple nitpicks: 1) Certificates under Infrastructure: Now we don't support them for users, but this will change in (distant?) future. Also, hosts have own certificates. Services can have own certificates etc. Can we have e.g. Certificates button at two different places? (But still opening the same dialog.) 2) Kerberos Ticket Policy is also related to users ... 3) Configuration and Infrastructure seems so related to me that I would personally merge them. Anyway, this seems like a step in the right direction! -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 06/03/2014 04:29 AM, Petr Spacek wrote: On 3.6.2014 09:54, Martin Kosek wrote: On 06/02/2014 03:59 PM, Petr Vobornik wrote: Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. Initial Draft: Identity (6) - Users - Groups - Hosts - Hostgroups - Netgroups - Services ok, though I have different division in mind. Policy (5) some better name? - HBAC - SUDO - Automount - Automember - SELinux User Maps I am not sure about Automount, SUDO and Automember as they are not so about policy related to users but rather about central storage for native Linux services - similarly to DNS. Authentication (4) - Radius Server Proxy - OTP Tokens - Password Policy - Kerberos Ticket Policy Hm, Policy is indeed strange. Infrastructure (6) some better name? - DNS - Realm Domains - Trust - Views - ID Ranges - Certificates Permissions (3) - Role Based Access Control - Self Service Permissions - Delegation Configuration (1) - Global Let me twist your proposal a bit and come to it from different way, i.e. thinking about what admin wants to do. If he wants to set up a user, he should not need to go to 2 different top level items. Users - Users - Groups - OTP Tokens - Password Policy - Automember Hosts - Hosts - Host groups - Netgroups - HBAC - SELinux User Maps User maps are more about users than hosts. No? Services - Services - SUDO - Automount I do not like services on two levels but I can't come up with an alternative. Trusts - (future) Views - Trust configuration - Trusts Ad other trusts in future Infrastructure - Certificates - DNS - Realm Domains - Kerberos Ticket Policy - (future) Replication topology Configuration - Global - RBAC Is it IPA access control? - ID Ranges I suggest different slicing: Configuration - Global - Access control - Realm Domains - Kerberos Ticket Policy - ID ranges Infrastructure - (future) Replication topology - DNS - (future) Vault I am not sure about Certificates. Is it about root CA? Can you point me to a feature page that corresponds to this feature? Should we have also: (future) Support - Documentation - Project Wiki - File issue here ... Does that make sense? This seems reasolable. Couple nitpicks: 1) Certificates under Infrastructure: Now we don't support them for users, but this will change in (distant?) future. Also, hosts have own certificates. Services can have own certificates etc. Can we have e.g. Certificates button at two different places? (But still opening the same dialog.) 2) Kerberos Ticket Policy is also related to users ... 3) Configuration and Infrastructure seems so related to me that I would personally merge them. Anyway, this seems like a step in the right direction! -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On Tue, Jun 3, 2014 at 2:16 PM, Dmitri Pal d...@redhat.com wrote: Services - Services - SUDO - Automount I do not like services on two levels but I can't come up with an alternative. Maybe Service Principles or Service Keys as that is what's in there, no? Steve ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Reorganization of Web UI navigation items
Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. Initial Draft: Identity (6) - Users - Groups - Hosts - Hostgroups - Netgroups - Services Policy (5) some better name? - HBAC - SUDO - Automount - Automember - SELinux User Maps Authentication (4) - Radius Server Proxy - OTP Tokens - Password Policy - Kerberos Ticket Policy Infrastructure (6) some better name? - DNS - Realm Domains - Trust - Views - ID Ranges - Certificates Permissions (3) - Role Based Access Control - Self Service Permissions - Delegation Configuration (1) - Global Notes: * draft focuses only on first two levels of navigation * 'Permission' and 'Configuration' could be merged into old 'IPA Server' * 'Views' are related to Identity and Trust, they have no meaning without some kind of trust - are next to 'Trusts' * it's weird to have 'Policy' item and items with policy in name to have in 'Authentication' Comments are welcome -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Reorganization of Web UI navigation items
On 06/02/2014 03:59 PM, Petr Vobornik wrote: Hi List, the purpose if this mail is to start a discussion about reorganization of navigation items. Users are not fond of such change so we should come up with a solution which would last for some time. Problem: UX recommendation is that one menu level should contain maximum of 7 items. We have 10 items in Identity, 7 in Policy and 7 in IPA Server. Basically we reached max. capacity of all 1st-level items. Solution: Introduce new 1st-level items and redistribute 2nd-level items. Initial Draft: Identity (6) - Users - Groups - Hosts - Hostgroups - Netgroups - Services Policy (5) some better name? - HBAC - SUDO - Automount - Automember - SELinux User Maps Authentication (4) - Radius Server Proxy - OTP Tokens - Password Policy - Kerberos Ticket Policy +1 for something starting with A :) Infrastructure (6) some better name? - DNS - Realm Domains - Trust - Views - ID Ranges - Certificates Permissions (3) - Role Based Access Control - Self Service Permissions - Delegation Self Service Permissions and Delegation should eventually become special cases of permissions, so I'd recommend listing the RBAC components here: Role Based Access Control (5) - Permissions - Privileges - Roles - Self Service Permissions - Delegation Either on the first level, or below Policy. Configuration (1) - Global Notes: * draft focuses only on first two levels of navigation * 'Permission' and 'Configuration' could be merged into old 'IPA Server' Or merge Infrastructure and Configuration into Server? * 'Views' are related to Identity and Trust, they have no meaning without some kind of trust - are next to 'Trusts' * it's weird to have 'Policy' item and items with policy in name to have in 'Authentication' Comments are welcome -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel