Yes, that works. Cesar On Feb 12, 2015 3:28 PM, "Roland Janus" <[email protected]> wrote:
> While that might work, it’s just a workaround. Removing access to an > object should remove it, right? J > > > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *CESAR.ABREG0 > *Sent:* Donnerstag, 12. Februar 2015 22:00 > *To:* [email protected] > *Subject:* Re: [mssms] RBAC: Deploy action linked to Collection not > making sense > > > > Though I see your point. That would depends to the objects you scope the > role for. It can actually be scoped to an empty collection. > > Cesar A. > > Meaning is NOT in words, but inside people! Dr. Myles Munroe. > > > On Feb 12, 2015, at 12:51 PM, Roland Janus <[email protected]> > wrote: > > I disagree. > > Basically there is no useful method to prevent deploying any app as soon > as they have access to any collection especially considering packagers. > > > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *elsalvoz > *Sent:* Donnerstag, 12. Februar 2015 15:47 > *To:* [email protected] > *Subject:* Re: [mssms] RBAC: Deploy action linked to Collection not > making sense > > > > Just went through that at latest gig. > > Those activities can only be executed onto collection. Kinda makes sense. > Cesar > > On Feb 12, 2015 12:27 AM, "Roland Janus" <[email protected]> wrote: > > Have you noticed that the deploy and move action for an application is > linked to a collection instead of the application object itself? > > > > I have a packager role and a packager scope. There are also collections > for them and that’s the only thing they can touch. > > Almost.. > > > > > > They can create apps, collections within their limits and deploy to them. > > Once an admin changes the scope of a package, removes “packagers” leaving > “default”, there edit/delete etc. access is revoked. > > But they still can “deploy”, because that action is linked to a collection > and not what would make sense to me to the application. > > I mean the object to control is the application, not the collection, why > would “deploy” be part of an collection? > > Shouldn’t deploy always be linked to the object to the deploy and not what > to deploy TO? So “deploy” for all classes (app, packages, settings etc.)? > > Does that make sense to you? > > > > I could remove read only access, then they wouldn’t see it anymore, hence > can’t deploy, but I want them to be able to see live apps. > > > > Is there a way around that? > > > > -Roland > > > > > > > > > > > >
