> ----- Original Message ----- > From: "Oved Ourfalli" <ov...@redhat.com> > Sent: Wednesday, December 4, 2013 3:40:55 AM > > > > ----- Original Message ----- > > From: "Einav Cohen" <eco...@redhat.com> > > To: "Malini Rao" <m...@redhat.com>, "Eldan Hildesheim" > > <ehild...@redhat.com>, "Scott Herold" <sher...@redhat.com>, > > "Arthur Berezin" <abere...@redhat.com>, "Yair Zaslavsky" > > <yzasl...@redhat.com>, "Gilad Chaplik" > > <gchap...@redhat.com>, "Oved Ourfalli" <ov...@redhat.com> > > Cc: "Users@ovirt.org" <users@ovirt.org> > > Sent: Tuesday, December 3, 2013 10:42:44 PM > > Subject: [Engine-devel] Fwd: Adding users and assigning roles in Ovirt > > > > [moving discussion to the users mailing list] > > > > while it seems that we all agree that adding some sort of a wizard > > that will allow easy permission assignment to newly-added users, it > > doesn't seem like something that can be accomplished soon (e.g. for > > ovirt 3.4). > > > > maybe we can utilize Ramesh's initial suggestion [1] for the short term - > > allow assignment of *System* permissions in the context of the 'Add > > User(s)' dialog [with an explicit clarification within the dialog that > > we are talking about *System* permissions, so that the admin will be > > aware that the privileges that he can assign in this context would be > > very permissive] > > > > any thoughts? > > how extensively are system permissions used in oVirt in general? > > [if adding a system permission is not a common/popular action, there > > is no reason to expose it in the 'Add User(s)' dialog, since it will > > probably be hardly used anyway] > > > > I guess that most users added in this dialog are "users" and not > "administrators", and even for administrators I'm not sure them all get > system permissions. > It may imply we think it is the best-practice with regards to permissions. > In addition, adding system permission in the "Configure" dialog allow you to > also add the user, as it shows you all the users in the directory, and not > just the ones that were previously added via the "add user" dialog, so I > think we should leave it as is for now, given this workaround to do both > operations in the same dialog.
+1 on that, very good points, Oved. [if anyone objects to keeping things as-is *for the short term* - please share. thanks] > > > > maybe different ideas for short-term solutions? > > > > ---- > > Thanks, > > Einav > > > > > > [1] http://lists.ovirt.org/pipermail/engine-devel/2013-December/006059.html > > > > > > ----- Forwarded Message ----- > > From: "Yair Zaslavsky" <yzasl...@redhat.com> > > To: "Einav Cohen" <eco...@redhat.com> > > Cc: "Oved Ourfalli" <ov...@redhat.com>, engine-de...@ovirt.org > > Sent: Monday, December 2, 2013 4:09:10 PM > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > > > ----- Original Message ----- > > > From: "Einav Cohen" <eco...@redhat.com> > > > To: "Malini Rao" <m...@redhat.com> > > > Cc: "Oved Ourfalli" <ov...@redhat.com>, engine-de...@ovirt.org > > > Sent: Monday, December 2, 2013 9:55:45 PM > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > > ----- Original Message ----- > > > > From: "Malini Rao" <m...@redhat.com> > > > > Sent: Monday, December 2, 2013 2:20:06 PM > > > > > > > > Joining in the thread a bit green but wouldn't it be ok to add the new > > > > user > > > > with the most basic permissions by default ( may be just read only > > > > permissions)until the admin goes and deliberately tweaks permissions or > > > > assigns a role? > > > > > > this is similar to what Oved has suggested, but I think that it won't > > > really > > > make any difference, since there is very little chance, in my view, that > > > these > > > permissions would be sufficient for anything - the admin would need to > > > assign > > > additional/different permissions at some point anyway, so not much point > > > in > > > allowing that default minimal assignment in the first place - we might as > > > well > > > keep the 'Add User(s)' dialog as is. > > > > > > > > > > > Also, if we add that roles drop down as Einav mentioned, isn't there a > > > > way > > > > to > > > > only show that drop down if the logged in user is an admin role? > > > > > > the logged in user must be an admin, as the 'Add User(s)' dialog (which > > > is > > > available from the Users main tab) exists only in the web-admin, which is > > > accessible only to admins by definition. > > > > > > > > > > > +1 on the user adding wizard. I think in general connecting related > > > > task > > > > flows together will improve the overall UX too. > > > > +1 here > > > > > > agreed. > > > > > > > > > > > Thanks > > > > Malini > > > > > > > > ----- Original Message ----- > > > > From: "Einav Cohen" <eco...@redhat.com> > > > > To: "Gilad Chaplik" <gchap...@redhat.com>, "Ramesh" > > > > <rnach...@redhat.com>, > > > > "Oved Ourfalli" <ov...@redhat.com> > > > > Cc: engine-de...@ovirt.org > > > > Sent: Monday, December 2, 2013 1:37:57 PM > > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > > > we should definitely not completely remove the possibility to add > > > > permission-less users to the system, > > > > due to possible use-cases as Gilad mentioned and/or simply to allow the > > > > flexibility of adding the user > > > > first, and only then adding the relevant (business entity and) > > > > permissions, > > > > should the admin choose to > > > > do so. > > > > > > > > the more correct location to add system permissions to a user would > > > > probably > > > > be a 'Add System Permission' > > > > dialog that will be available from the Permissions sub-tab of the Users > > > > main > > > > tab, however it won't allow > > > > to assign system permissions to several users at once, so I understand > > > > the > > > > need for this ability within > > > > the 'Add User(s)' dialog. > > > > > > > > I think that adding an "allow user to login" check-box would not be > > > > good > > > > enough, since once a user > > > > would be able to login, he won't be able to do (or even see) anything > > > > (well, > > > > other than the 'Blank' > > > > Template, maybe), so the admin would need to assign additional > > > > permissions > > > > to > > > > this user anyway. > > > > The minimal solution in my view is to add a "assign these users the > > > > following > > > > system permissions" > > > > check-box, with a Roles drop down; as Gilad mentioned - need to be very > > > > careful with that, as > > > > system-wide permissions are powerful. > > > > A more comprehensive solution (more complex for implementation) would > > > > probably be, as Oved mentioned, > > > > some sort of a user-adding-wizard, that will allow easy > > > > permissions-assignment (maybe even not only > > > > system-wide permissions) to the newly-added users. > > > > > > > > ---- > > > > Thanks, > > > > Einav > > > > > > > > ----- Original Message ----- > > > > > From: "Gilad Chaplik" <gchap...@redhat.com> > > > > > To: "Oved Ourfalli" <ov...@redhat.com> > > > > > Cc: engine-de...@ovirt.org > > > > > Sent: Monday, December 2, 2013 3:47:56 AM > > > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > > > > > Hi Ramesh, > > > > > > > > > > You're right, I also think that the 'add users' is a bit pointless, > > > > > but > > > > > adding a system permission in that dialog can be dangerous (if admin > > > > > doesn't > > > > > fully understand what he's doing, and MLA is complicated enough ;-) > > > > > ). > > > > > > > > > > Currently when adding a permission we can specify a AD-user > > > > > (regardless > > > > > to > > > > > the fact he's added or not), So eventually power users can add users > > > > > to > > > > > the > > > > > system. > > > > > I can think of a case, that admins will want to manage the users by > > > > > themselves, i.e- power users can add permissions for the added users > > > > > only. > > > > > this way this dialog can be useful. > > > > > > > > > > Thanks, > > > > > Gilad. > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Oved Ourfalli" <ov...@redhat.com> > > > > > > To: "Ramesh" <rnach...@redhat.com> > > > > > > Cc: engine-de...@ovirt.org > > > > > > Sent: Monday, December 2, 2013 9:01:52 AM > > > > > > Subject: Re: [Engine-devel] Adding users and assigning roles in > > > > > > Ovirt > > > > > > > > > > > > Your E-mail made me look a bit and check the different flows. > > > > > > > > > > > > I think the only use-case for adding users without giving any > > > > > > permissions > > > > > > is > > > > > > when you add a user for notification reasons. > > > > > > You can add a user, and then in the Event Notifier sub-tab define > > > > > > what > > > > > > events > > > > > > he will get via E-mail. > > > > > > afaik (and I'm not an event notifier expert), this user doesn't > > > > > > have > > > > > > to > > > > > > be > > > > > > able to login, or to have permissions of any kind. He just gets > > > > > > events. > > > > +1 - this is due to the fact a user has an email account - no need to login > > to ovirt-engine > > in order to read your emails :) > > > > > > > > > > > > > > Other than that you're right. A user which is added to the system > > > > > > can't > > > > > > do > > > > > > much without assigning him roles. > > > > > > I think adding roles assignment to this dialog may be a bit > > > > > > cumbersome. > > > > > > Perhaps some wizard is required in that case. Or at least some > > > > > > checkbox > > > > > > saying "allow user to login". That way the new user will be able to > > > > > > login, > > > > > > and he will have some default permissions as well (permissions > > > > > > granted > > > > > > to > > > > > > Everyone). > > > > > > > > > > > > Let's see what others think. > > > > > > > > > > > > Regards, > > > > > > Oved > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Ramesh" <rnach...@redhat.com> > > > > > > > To: engine-de...@ovirt.org > > > > > > > Sent: Monday, December 2, 2013 7:22:53 AM > > > > > > > Subject: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > We have 'Add' action under 'Users' main tab to add users in > > > > > > > Ovirt > > > > > > > . > > > > > > > It looks slightly different from the "Add user" option of the > > > > > > > Configure > > > > > > > option. Actually, this one is missing the "Role to Assign" > > > > > > > option. > > > > > > > I > > > > > > > think without assigning any role, adding a user is not meaningful > > > > > > > and > > > > > > > it > > > > > > > didn't complete the flow. > > > > > > > > > > > > > > Currently to assign any role to the user, either we have to > > > > > > > use > > > > > > > 'Configure' option ( to add system permission) or we have to go > > > > > > > to > > > > > > > the > > > > > > > specific entity and add permission for that entity. It will be > > > > > > > nice > > > > > > > if > > > > > > > we can assign roles( system level permissions) while adding users > > > > > > > in > > > > > > > 'Users' tab itself. It will be a clear user flow where one can > > > > > > > add > > > > > > > user > > > > > > > and assign role in the same place. > > > > > > > > > > > > > > I have attached both the screen shots. > > > > > > > > > > > > > > please share your thoughts. > > > > > > > > > > > > > > Regards, > > > > > > > Ramesh > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Engine-devel mailing list > > > > > > > engine-de...@ovirt.org > > > > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > > > > > > > _______________________________________________ > > > > > > Engine-devel mailing list > > > > > > engine-de...@ovirt.org > > > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > > > > > _______________________________________________ > > > > > Engine-devel mailing list > > > > > engine-de...@ovirt.org > > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > > > _______________________________________________ > > > > Engine-devel mailing list > > > > engine-de...@ovirt.org > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > _______________________________________________ > > > > Engine-devel mailing list > > > > engine-de...@ovirt.org > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > > > > > > > > > _______________________________________________ > > > Engine-devel mailing list > > > engine-de...@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > _______________________________________________ > > Engine-devel mailing list > > engine-de...@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > _______________________________________________ > > Engine-devel mailing list > > engine-de...@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users