Re: [Engine-devel] Adding users and assigning roles in Ovirt
- Original Message - > From: "Einav Cohen" > To: "Malini Rao" > Cc: "Oved Ourfalli" , engine-devel@ovirt.org > Sent: Monday, December 2, 2013 9:55:45 PM > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > - Original Message - > > From: "Malini Rao" > > Sent: Monday, December 2, 2013 2:20:06 PM > > > > Joining in the thread a bit green but wouldn't it be ok to add the new user > > with the most basic permissions by default ( may be just read only > > permissions)until the admin goes and deliberately tweaks permissions or > > assigns a role? > > this is similar to what Oved has suggested, but I think that it won't really > make any difference, since there is very little chance, in my view, that > these > permissions would be sufficient for anything - the admin would need to assign > additional/different permissions at some point anyway, so not much point in > allowing that default minimal assignment in the first place - we might as > well > keep the 'Add User(s)' dialog as is. > > > > > Also, if we add that roles drop down as Einav mentioned, isn't there a way > > to > > only show that drop down if the logged in user is an admin role? > > the logged in user must be an admin, as the 'Add User(s)' dialog (which is > available from the Users main tab) exists only in the web-admin, which is > accessible only to admins by definition. > > > > > +1 on the user adding wizard. I think in general connecting related task > > flows together will improve the overall UX too. +1 here > > agreed. > > > > > Thanks > > Malini > > > > - Original Message - > > From: "Einav Cohen" > > To: "Gilad Chaplik" , "Ramesh" , > > "Oved Ourfalli" > > Cc: engine-devel@ovirt.org > > Sent: Monday, December 2, 2013 1:37:57 PM > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > we should definitely not completely remove the possibility to add > > permission-less users to the system, > > due to possible use-cases as Gilad mentioned and/or simply to allow the > > flexibility of adding the user > > first, and only then adding the relevant (business entity and) permissions, > > should the admin choose to > > do so. > > > > the more correct location to add system permissions to a user would > > probably > > be a 'Add System Permission' > > dialog that will be available from the Permissions sub-tab of the Users > > main > > tab, however it won't allow > > to assign system permissions to several users at once, so I understand the > > need for this ability within > > the 'Add User(s)' dialog. > > > > I think that adding an "allow user to login" check-box would not be good > > enough, since once a user > > would be able to login, he won't be able to do (or even see) anything > > (well, > > other than the 'Blank' > > Template, maybe), so the admin would need to assign additional permissions > > to > > this user anyway. > > The minimal solution in my view is to add a "assign these users the > > following > > system permissions" > > check-box, with a Roles drop down; as Gilad mentioned - need to be very > > careful with that, as > > system-wide permissions are powerful. > > A more comprehensive solution (more complex for implementation) would > > probably be, as Oved mentioned, > > some sort of a user-adding-wizard, that will allow easy > > permissions-assignment (maybe even not only > > system-wide permissions) to the newly-added users. > > > > > > Thanks, > > Einav > > > > - Original Message - > > > From: "Gilad Chaplik" > > > To: "Oved Ourfalli" > > > Cc: engine-devel@ovirt.org > > > Sent: Monday, December 2, 2013 3:47:56 AM > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > Hi Ramesh, > > > > > > You're right, I also think that the 'add users' is a bit pointless, but > > > adding a system permission in that dialog can be dangerous (if admin > > > doesn't > > > fully understand what he's doing, and MLA is complicated enough ;-) ). > > > > > > Currently when adding a permission we can specify a AD-user (regardless > > > to > > > the fact he's added or
Re: [Engine-devel] Adding users and assigning roles in Ovirt
> - Original Message - > From: "Malini Rao" > Sent: Monday, December 2, 2013 2:20:06 PM > > Joining in the thread a bit green but wouldn't it be ok to add the new user > with the most basic permissions by default ( may be just read only > permissions)until the admin goes and deliberately tweaks permissions or > assigns a role? this is similar to what Oved has suggested, but I think that it won't really make any difference, since there is very little chance, in my view, that these permissions would be sufficient for anything - the admin would need to assign additional/different permissions at some point anyway, so not much point in allowing that default minimal assignment in the first place - we might as well keep the 'Add User(s)' dialog as is. > > Also, if we add that roles drop down as Einav mentioned, isn't there a way to > only show that drop down if the logged in user is an admin role? the logged in user must be an admin, as the 'Add User(s)' dialog (which is available from the Users main tab) exists only in the web-admin, which is accessible only to admins by definition. > > +1 on the user adding wizard. I think in general connecting related task > flows together will improve the overall UX too. agreed. > > Thanks > Malini > > - Original Message - > From: "Einav Cohen" > To: "Gilad Chaplik" , "Ramesh" , > "Oved Ourfalli" > Cc: engine-devel@ovirt.org > Sent: Monday, December 2, 2013 1:37:57 PM > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > we should definitely not completely remove the possibility to add > permission-less users to the system, > due to possible use-cases as Gilad mentioned and/or simply to allow the > flexibility of adding the user > first, and only then adding the relevant (business entity and) permissions, > should the admin choose to > do so. > > the more correct location to add system permissions to a user would probably > be a 'Add System Permission' > dialog that will be available from the Permissions sub-tab of the Users main > tab, however it won't allow > to assign system permissions to several users at once, so I understand the > need for this ability within > the 'Add User(s)' dialog. > > I think that adding an "allow user to login" check-box would not be good > enough, since once a user > would be able to login, he won't be able to do (or even see) anything (well, > other than the 'Blank' > Template, maybe), so the admin would need to assign additional permissions to > this user anyway. > The minimal solution in my view is to add a "assign these users the following > system permissions" > check-box, with a Roles drop down; as Gilad mentioned - need to be very > careful with that, as > system-wide permissions are powerful. > A more comprehensive solution (more complex for implementation) would > probably be, as Oved mentioned, > some sort of a user-adding-wizard, that will allow easy > permissions-assignment (maybe even not only > system-wide permissions) to the newly-added users. > > > Thanks, > Einav > > - Original Message - > > From: "Gilad Chaplik" > > To: "Oved Ourfalli" > > Cc: engine-devel@ovirt.org > > Sent: Monday, December 2, 2013 3:47:56 AM > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > Hi Ramesh, > > > > You're right, I also think that the 'add users' is a bit pointless, but > > adding a system permission in that dialog can be dangerous (if admin > > doesn't > > fully understand what he's doing, and MLA is complicated enough ;-) ). > > > > Currently when adding a permission we can specify a AD-user (regardless to > > the fact he's added or not), So eventually power users can add users to the > > system. > > I can think of a case, that admins will want to manage the users by > > themselves, i.e- power users can add permissions for the added users only. > > this way this dialog can be useful. > > > > Thanks, > > Gilad. > > > > - Original Message - > > > From: "Oved Ourfalli" > > > To: "Ramesh" > > > Cc: engine-devel@ovirt.org > > > Sent: Monday, December 2, 2013 9:01:52 AM > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > Your E-mail made me look a bit and check the different flows. > > > > > > I think the only use-case for adding users without giving any permis
Re: [Engine-devel] Adding users and assigning roles in Ovirt
Joining in the thread a bit green but wouldn't it be ok to add the new user with the most basic permissions by default ( may be just read only permissions)until the admin goes and deliberately tweaks permissions or assigns a role? Also, if we add that roles drop down as Einav mentioned, isn't there a way to only show that drop down if the logged in user is an admin role? +1 on the user adding wizard. I think in general connecting related task flows together will improve the overall UX too. Thanks Malini - Original Message - From: "Einav Cohen" To: "Gilad Chaplik" , "Ramesh" , "Oved Ourfalli" Cc: engine-devel@ovirt.org Sent: Monday, December 2, 2013 1:37:57 PM Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt we should definitely not completely remove the possibility to add permission-less users to the system, due to possible use-cases as Gilad mentioned and/or simply to allow the flexibility of adding the user first, and only then adding the relevant (business entity and) permissions, should the admin choose to do so. the more correct location to add system permissions to a user would probably be a 'Add System Permission' dialog that will be available from the Permissions sub-tab of the Users main tab, however it won't allow to assign system permissions to several users at once, so I understand the need for this ability within the 'Add User(s)' dialog. I think that adding an "allow user to login" check-box would not be good enough, since once a user would be able to login, he won't be able to do (or even see) anything (well, other than the 'Blank' Template, maybe), so the admin would need to assign additional permissions to this user anyway. The minimal solution in my view is to add a "assign these users the following system permissions" check-box, with a Roles drop down; as Gilad mentioned - need to be very careful with that, as system-wide permissions are powerful. A more comprehensive solution (more complex for implementation) would probably be, as Oved mentioned, some sort of a user-adding-wizard, that will allow easy permissions-assignment (maybe even not only system-wide permissions) to the newly-added users. Thanks, Einav - Original Message - > From: "Gilad Chaplik" > To: "Oved Ourfalli" > Cc: engine-devel@ovirt.org > Sent: Monday, December 2, 2013 3:47:56 AM > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > Hi Ramesh, > > You're right, I also think that the 'add users' is a bit pointless, but > adding a system permission in that dialog can be dangerous (if admin doesn't > fully understand what he's doing, and MLA is complicated enough ;-) ). > > Currently when adding a permission we can specify a AD-user (regardless to > the fact he's added or not), So eventually power users can add users to the > system. > I can think of a case, that admins will want to manage the users by > themselves, i.e- power users can add permissions for the added users only. > this way this dialog can be useful. > > Thanks, > Gilad. > > - Original Message - > > From: "Oved Ourfalli" > > To: "Ramesh" > > Cc: engine-devel@ovirt.org > > Sent: Monday, December 2, 2013 9:01:52 AM > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > Your E-mail made me look a bit and check the different flows. > > > > I think the only use-case for adding users without giving any permissions > > is > > when you add a user for notification reasons. > > You can add a user, and then in the Event Notifier sub-tab define what > > events > > he will get via E-mail. > > afaik (and I'm not an event notifier expert), this user doesn't have to be > > able to login, or to have permissions of any kind. He just gets events. > > > > Other than that you're right. A user which is added to the system can't do > > much without assigning him roles. > > I think adding roles assignment to this dialog may be a bit cumbersome. > > Perhaps some wizard is required in that case. Or at least some checkbox > > saying "allow user to login". That way the new user will be able to login, > > and he will have some default permissions as well (permissions granted to > > Everyone). > > > > Let's see what others think. > > > > Regards, > > Oved > > > > > > - Original Message - > > > From: "Ramesh" > > > To: engine-devel@ovirt.org > > > Sent: Monday, December 2, 2013 7:22:53 AM > > > Subject:
Re: [Engine-devel] Adding users and assigning roles in Ovirt
we should definitely not completely remove the possibility to add permission-less users to the system, due to possible use-cases as Gilad mentioned and/or simply to allow the flexibility of adding the user first, and only then adding the relevant (business entity and) permissions, should the admin choose to do so. the more correct location to add system permissions to a user would probably be a 'Add System Permission' dialog that will be available from the Permissions sub-tab of the Users main tab, however it won't allow to assign system permissions to several users at once, so I understand the need for this ability within the 'Add User(s)' dialog. I think that adding an "allow user to login" check-box would not be good enough, since once a user would be able to login, he won't be able to do (or even see) anything (well, other than the 'Blank' Template, maybe), so the admin would need to assign additional permissions to this user anyway. The minimal solution in my view is to add a "assign these users the following system permissions" check-box, with a Roles drop down; as Gilad mentioned - need to be very careful with that, as system-wide permissions are powerful. A more comprehensive solution (more complex for implementation) would probably be, as Oved mentioned, some sort of a user-adding-wizard, that will allow easy permissions-assignment (maybe even not only system-wide permissions) to the newly-added users. Thanks, Einav - Original Message - > From: "Gilad Chaplik" > To: "Oved Ourfalli" > Cc: engine-devel@ovirt.org > Sent: Monday, December 2, 2013 3:47:56 AM > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > Hi Ramesh, > > You're right, I also think that the 'add users' is a bit pointless, but > adding a system permission in that dialog can be dangerous (if admin doesn't > fully understand what he's doing, and MLA is complicated enough ;-) ). > > Currently when adding a permission we can specify a AD-user (regardless to > the fact he's added or not), So eventually power users can add users to the > system. > I can think of a case, that admins will want to manage the users by > themselves, i.e- power users can add permissions for the added users only. > this way this dialog can be useful. > > Thanks, > Gilad. > > ----- Original Message - > > From: "Oved Ourfalli" > > To: "Ramesh" > > Cc: engine-devel@ovirt.org > > Sent: Monday, December 2, 2013 9:01:52 AM > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > Your E-mail made me look a bit and check the different flows. > > > > I think the only use-case for adding users without giving any permissions > > is > > when you add a user for notification reasons. > > You can add a user, and then in the Event Notifier sub-tab define what > > events > > he will get via E-mail. > > afaik (and I'm not an event notifier expert), this user doesn't have to be > > able to login, or to have permissions of any kind. He just gets events. > > > > Other than that you're right. A user which is added to the system can't do > > much without assigning him roles. > > I think adding roles assignment to this dialog may be a bit cumbersome. > > Perhaps some wizard is required in that case. Or at least some checkbox > > saying "allow user to login". That way the new user will be able to login, > > and he will have some default permissions as well (permissions granted to > > Everyone). > > > > Let's see what others think. > > > > Regards, > > Oved > > > > > > - Original Message - > > > From: "Ramesh" > > > To: engine-devel@ovirt.org > > > Sent: Monday, December 2, 2013 7:22:53 AM > > > Subject: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > Hi All, > > > > > >We have 'Add' action under 'Users' main tab to add users in Ovirt . > > > It looks slightly different from the "Add user" option of the Configure > > > option. Actually, this one is missing the "Role to Assign" option. I > > > think without assigning any role, adding a user is not meaningful and it > > > didn't complete the flow. > > > > > >Currently to assign any role to the user, either we have to use > > > 'Configure' option ( to add system permission) or we have to go to the > > > specific entity and add permission for that entity. It will b
Re: [Engine-devel] Adding users and assigning roles in Ovirt
Hi Ramesh, You're right, I also think that the 'add users' is a bit pointless, but adding a system permission in that dialog can be dangerous (if admin doesn't fully understand what he's doing, and MLA is complicated enough ;-) ). Currently when adding a permission we can specify a AD-user (regardless to the fact he's added or not), So eventually power users can add users to the system. I can think of a case, that admins will want to manage the users by themselves, i.e- power users can add permissions for the added users only. this way this dialog can be useful. Thanks, Gilad. - Original Message - > From: "Oved Ourfalli" > To: "Ramesh" > Cc: engine-devel@ovirt.org > Sent: Monday, December 2, 2013 9:01:52 AM > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > Your E-mail made me look a bit and check the different flows. > > I think the only use-case for adding users without giving any permissions is > when you add a user for notification reasons. > You can add a user, and then in the Event Notifier sub-tab define what events > he will get via E-mail. > afaik (and I'm not an event notifier expert), this user doesn't have to be > able to login, or to have permissions of any kind. He just gets events. > > Other than that you're right. A user which is added to the system can't do > much without assigning him roles. > I think adding roles assignment to this dialog may be a bit cumbersome. > Perhaps some wizard is required in that case. Or at least some checkbox > saying "allow user to login". That way the new user will be able to login, > and he will have some default permissions as well (permissions granted to > Everyone). > > Let's see what others think. > > Regards, > Oved > > > - Original Message - > > From: "Ramesh" > > To: engine-devel@ovirt.org > > Sent: Monday, December 2, 2013 7:22:53 AM > > Subject: [Engine-devel] Adding users and assigning roles in Ovirt > > > > Hi All, > > > >We have 'Add' action under 'Users' main tab to add users in Ovirt . > > It looks slightly different from the "Add user" option of the Configure > > option. Actually, this one is missing the "Role to Assign" option. I > > think without assigning any role, adding a user is not meaningful and it > > didn't complete the flow. > > > >Currently to assign any role to the user, either we have to use > > 'Configure' option ( to add system permission) or we have to go to the > > specific entity and add permission for that entity. It will be nice if > > we can assign roles( system level permissions) while adding users in > > 'Users' tab itself. It will be a clear user flow where one can add user > > and assign role in the same place. > > > > I have attached both the screen shots. > > > > please share your thoughts. > > > > Regards, > > Ramesh > > > > > > ___ > > Engine-devel mailing list > > Engine-devel@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > ___ > Engine-devel mailing list > Engine-devel@ovirt.org > http://lists.ovirt.org/mailman/listinfo/engine-devel > ___ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
Re: [Engine-devel] Adding users and assigning roles in Ovirt
Your E-mail made me look a bit and check the different flows. I think the only use-case for adding users without giving any permissions is when you add a user for notification reasons. You can add a user, and then in the Event Notifier sub-tab define what events he will get via E-mail. afaik (and I'm not an event notifier expert), this user doesn't have to be able to login, or to have permissions of any kind. He just gets events. Other than that you're right. A user which is added to the system can't do much without assigning him roles. I think adding roles assignment to this dialog may be a bit cumbersome. Perhaps some wizard is required in that case. Or at least some checkbox saying "allow user to login". That way the new user will be able to login, and he will have some default permissions as well (permissions granted to Everyone). Let's see what others think. Regards, Oved - Original Message - > From: "Ramesh" > To: engine-devel@ovirt.org > Sent: Monday, December 2, 2013 7:22:53 AM > Subject: [Engine-devel] Adding users and assigning roles in Ovirt > > Hi All, > >We have 'Add' action under 'Users' main tab to add users in Ovirt . > It looks slightly different from the "Add user" option of the Configure > option. Actually, this one is missing the "Role to Assign" option. I > think without assigning any role, adding a user is not meaningful and it > didn't complete the flow. > >Currently to assign any role to the user, either we have to use > 'Configure' option ( to add system permission) or we have to go to the > specific entity and add permission for that entity. It will be nice if > we can assign roles( system level permissions) while adding users in > 'Users' tab itself. It will be a clear user flow where one can add user > and assign role in the same place. > > I have attached both the screen shots. > > please share your thoughts. > > Regards, > Ramesh > > > ___ > Engine-devel mailing list > Engine-devel@ovirt.org > http://lists.ovirt.org/mailman/listinfo/engine-devel > ___ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
