* Josef Reidinger <[email protected]> [Feb 23. 2010 19:02]: > Hi, > I get this task and I think it is time to little discussion what is possible > and how it should be done. (how it looks I think is decided - it is similar > to groups). > > Roles is something like mark which grants user set of actions. So e.g. role > HR admin can add/remove users and edits its details it is one role but it > contains more permissions.
Correct, a role is a set of (PolicyKit) permissions. These can be grant or deny permissions. Thus a prerequisite for roles management is permissions management. A user then gets a set of roles assigned, allowing him to act as an administrator within the limits of the roles. > > At first I investigate little how lib/yast_roles.rb work...and it doesn't > work. I try play with polkit and if you ask for user which doesn't have UID > it fails. Problem is that roles doesn't have UID. So roles must be stored > beside. > > My proposal how it could work. > > We have defined list of roles in one yaml file. How its stored is an implementation detail, lets look at the resource model for the REST api first. The permissions <-> roles <-> users mapping would match the has_and_belongs_to_many semantics of ActiveRecord. > owned by yastws, strict permissions. This list contain role and its > permissions. Right, this maps roles to set of permissions. > Then we have second list which assign to role its users. A users <-> roles mapping, agreed. > If user get into role it get permissions of this role. > If user remove from role all permissions is removed and again all roles is > applied. > If role is modified then all users in this role has removed permissions and > all roles is again applied (the longest variant but roles should change only > rare). Agreed on the semantics. But what makes you think that roles only change rarely ? > > So permission module is changed that it act on roles not on users for > appliance. Yes ! Of course we could also do a direct permissions <-> users mapping. But with hundreds of permissions, this easily gets out of hand. The insertion of roles is a means to make handling this stuff easier. > For non-appliance usage it acts on users. ( I plan create two package to > easier maintenance). Why ? Klaus --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
