RE: [mssms] RBAC: Deploy action linked to Collection not making sense

[Roland Janus]

While that might work, it’s just a workaround. Removing access to an object 
should remove it, right? :)

 

 

 

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of CESAR.ABREG0
Sent: Donnerstag, 12. Februar 2015 22:00
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RBAC: Deploy action linked to Collection not making sense

 

Though I see your point. That would depends to the objects you scope the role 
for. It can actually be scoped to an empty collection. 

Cesar A.

Meaning is NOT in words, but inside people! Dr. Myles Munroe. 


On Feb 12, 2015, at 12:51 PM, Roland Janus <roland.ja...@hispeed.ch 
<mailto:roland.ja...@hispeed.ch> > wrote:

I disagree.

Basically there is no useful method to prevent deploying any app as soon as 
they have access to any collection especially considering packagers.

 

 

From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com>  
[mailto:listsad...@lists.myitforum.com] On Behalf Of elsalvoz
Sent: Donnerstag, 12. Februar 2015 15:47
To: mssms@lists.myitforum.com <mailto:mssms@lists.myitforum.com> 
Subject: Re: [mssms] RBAC: Deploy action linked to Collection not making sense

 

Just went through that at latest gig. 

Those activities can only be executed onto collection. Kinda makes sense. 
Cesar 

On Feb 12, 2015 12:27 AM, "Roland Janus" <roland.ja...@hispeed.ch 
<mailto:roland.ja...@hispeed.ch> > wrote:

Have you noticed that the deploy and move action for an application is linked 
to a collection instead of the application object itself?

 

I have a packager role and a packager scope. There are also collections for 
them and that’s the only thing they can touch.

Almost..

 



 

They can create apps, collections within their limits and deploy to them.

Once an admin changes the scope of a package, removes “packagers” leaving 
“default”, there edit/delete etc. access is revoked.

But they still can “deploy”, because that action is linked to a collection and 
not what would make sense to me to the application.

I mean the object to control is the application, not the collection, why would 
“deploy” be part of an collection?

Shouldn’t deploy always be linked to the object to the deploy and not what to 
deploy TO? So “deploy” for all classes (app, packages, settings etc.)?

Does that make sense to you?

 

I could remove read only access, then they wouldn’t see it anymore, hence can’t 
deploy, but I want them to be able to see live apps.

 

Is there a way around that?

 

-Roland