[moving discussion to the users mailing list] while it seems that we all agree that adding some sort of a wizard that will allow easy permission assignment to newly-added users, it doesn't seem like something that can be accomplished soon (e.g. for ovirt 3.4).
maybe we can utilize Ramesh's initial suggestion [1] for the short term - allow assignment of *System* permissions in the context of the 'Add User(s)' dialog [with an explicit clarification within the dialog that we are talking about *System* permissions, so that the admin will be aware that the privileges that he can assign in this context would be very permissive] any thoughts? how extensively are system permissions used in oVirt in general? [if adding a system permission is not a common/popular action, there is no reason to expose it in the 'Add User(s)' dialog, since it will probably be hardly used anyway] maybe different ideas for short-term solutions? ---- Thanks, Einav [1] http://lists.ovirt.org/pipermail/engine-devel/2013-December/006059.html ----- Forwarded Message ----- From: "Yair Zaslavsky" <yzasl...@redhat.com> To: "Einav Cohen" <eco...@redhat.com> Cc: "Oved Ourfalli" <ov...@redhat.com>, engine-devel@ovirt.org Sent: Monday, December 2, 2013 4:09:10 PM Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt ----- Original Message ----- > From: "Einav Cohen" <eco...@redhat.com> > To: "Malini Rao" <m...@redhat.com> > Cc: "Oved Ourfalli" <ov...@redhat.com>, engine-devel@ovirt.org > Sent: Monday, December 2, 2013 9:55:45 PM > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > ----- Original Message ----- > > From: "Malini Rao" <m...@redhat.com> > > Sent: Monday, December 2, 2013 2:20:06 PM > > > > Joining in the thread a bit green but wouldn't it be ok to add the new user > > with the most basic permissions by default ( may be just read only > > permissions)until the admin goes and deliberately tweaks permissions or > > assigns a role? > > this is similar to what Oved has suggested, but I think that it won't really > make any difference, since there is very little chance, in my view, that > these > permissions would be sufficient for anything - the admin would need to assign > additional/different permissions at some point anyway, so not much point in > allowing that default minimal assignment in the first place - we might as > well > keep the 'Add User(s)' dialog as is. > > > > > Also, if we add that roles drop down as Einav mentioned, isn't there a way > > to > > only show that drop down if the logged in user is an admin role? > > the logged in user must be an admin, as the 'Add User(s)' dialog (which is > available from the Users main tab) exists only in the web-admin, which is > accessible only to admins by definition. > > > > > +1 on the user adding wizard. I think in general connecting related task > > flows together will improve the overall UX too. +1 here > > agreed. > > > > > Thanks > > Malini > > > > ----- Original Message ----- > > From: "Einav Cohen" <eco...@redhat.com> > > To: "Gilad Chaplik" <gchap...@redhat.com>, "Ramesh" <rnach...@redhat.com>, > > "Oved Ourfalli" <ov...@redhat.com> > > Cc: engine-devel@ovirt.org > > Sent: Monday, December 2, 2013 1:37:57 PM > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > we should definitely not completely remove the possibility to add > > permission-less users to the system, > > due to possible use-cases as Gilad mentioned and/or simply to allow the > > flexibility of adding the user > > first, and only then adding the relevant (business entity and) permissions, > > should the admin choose to > > do so. > > > > the more correct location to add system permissions to a user would > > probably > > be a 'Add System Permission' > > dialog that will be available from the Permissions sub-tab of the Users > > main > > tab, however it won't allow > > to assign system permissions to several users at once, so I understand the > > need for this ability within > > the 'Add User(s)' dialog. > > > > I think that adding an "allow user to login" check-box would not be good > > enough, since once a user > > would be able to login, he won't be able to do (or even see) anything > > (well, > > other than the 'Blank' > > Template, maybe), so the admin would need to assign additional permissions > > to > > this user anyway. > > The minimal solution in my view is to add a "assign these users the > > following > > system permissions" > > check-box, with a Roles drop down; as Gilad mentioned - need to be very > > careful with that, as > > system-wide permissions are powerful. > > A more comprehensive solution (more complex for implementation) would > > probably be, as Oved mentioned, > > some sort of a user-adding-wizard, that will allow easy > > permissions-assignment (maybe even not only > > system-wide permissions) to the newly-added users. > > > > ---- > > Thanks, > > Einav > > > > ----- Original Message ----- > > > From: "Gilad Chaplik" <gchap...@redhat.com> > > > To: "Oved Ourfalli" <ov...@redhat.com> > > > Cc: engine-devel@ovirt.org > > > Sent: Monday, December 2, 2013 3:47:56 AM > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > Hi Ramesh, > > > > > > You're right, I also think that the 'add users' is a bit pointless, but > > > adding a system permission in that dialog can be dangerous (if admin > > > doesn't > > > fully understand what he's doing, and MLA is complicated enough ;-) ). > > > > > > Currently when adding a permission we can specify a AD-user (regardless > > > to > > > the fact he's added or not), So eventually power users can add users to > > > the > > > system. > > > I can think of a case, that admins will want to manage the users by > > > themselves, i.e- power users can add permissions for the added users > > > only. > > > this way this dialog can be useful. > > > > > > Thanks, > > > Gilad. > > > > > > ----- Original Message ----- > > > > From: "Oved Ourfalli" <ov...@redhat.com> > > > > To: "Ramesh" <rnach...@redhat.com> > > > > Cc: engine-devel@ovirt.org > > > > Sent: Monday, December 2, 2013 9:01:52 AM > > > > Subject: Re: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > > > Your E-mail made me look a bit and check the different flows. > > > > > > > > I think the only use-case for adding users without giving any > > > > permissions > > > > is > > > > when you add a user for notification reasons. > > > > You can add a user, and then in the Event Notifier sub-tab define what > > > > events > > > > he will get via E-mail. > > > > afaik (and I'm not an event notifier expert), this user doesn't have to > > > > be > > > > able to login, or to have permissions of any kind. He just gets events. +1 - this is due to the fact a user has an email account - no need to login to ovirt-engine in order to read your emails :) > > > > > > > > Other than that you're right. A user which is added to the system can't > > > > do > > > > much without assigning him roles. > > > > I think adding roles assignment to this dialog may be a bit cumbersome. > > > > Perhaps some wizard is required in that case. Or at least some checkbox > > > > saying "allow user to login". That way the new user will be able to > > > > login, > > > > and he will have some default permissions as well (permissions granted > > > > to > > > > Everyone). > > > > > > > > Let's see what others think. > > > > > > > > Regards, > > > > Oved > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Ramesh" <rnach...@redhat.com> > > > > > To: engine-devel@ovirt.org > > > > > Sent: Monday, December 2, 2013 7:22:53 AM > > > > > Subject: [Engine-devel] Adding users and assigning roles in Ovirt > > > > > > > > > > Hi All, > > > > > > > > > > We have 'Add' action under 'Users' main tab to add users in Ovirt > > > > > . > > > > > It looks slightly different from the "Add user" option of the > > > > > Configure > > > > > option. Actually, this one is missing the "Role to Assign" option. I > > > > > think without assigning any role, adding a user is not meaningful and > > > > > it > > > > > didn't complete the flow. > > > > > > > > > > Currently to assign any role to the user, either we have to use > > > > > 'Configure' option ( to add system permission) or we have to go to > > > > > the > > > > > specific entity and add permission for that entity. It will be nice > > > > > if > > > > > we can assign roles( system level permissions) while adding users in > > > > > 'Users' tab itself. It will be a clear user flow where one can add > > > > > user > > > > > and assign role in the same place. > > > > > > > > > > I have attached both the screen shots. > > > > > > > > > > please share your thoughts. > > > > > > > > > > Regards, > > > > > Ramesh > > > > > > > > > > > > > > > _______________________________________________ > > > > > Engine-devel mailing list > > > > > Engine-devel@ovirt.org > > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > > > _______________________________________________ > > > > Engine-devel mailing list > > > > Engine-devel@ovirt.org > > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > _______________________________________________ > > > Engine-devel mailing list > > > Engine-devel@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > _______________________________________________ > > Engine-devel mailing list > > Engine-devel@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > _______________________________________________ > > Engine-devel mailing list > > Engine-devel@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/engine-devel > > > > > > > _______________________________________________ > Engine-devel mailing list > Engine-devel@ovirt.org > http://lists.ovirt.org/mailman/listinfo/engine-devel > _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel