Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 801908 - RBAC permissions should be better documented and have fewer surprises
Summary: RBAC permissions should be better documented and have fewer surprises
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: WebUI
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Mike McCune
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks: 796964
TreeView+ depends on / blocked
 
Reported: 2012-03-09 19:45 UTC by Jeff Weiss
Modified: 2014-11-09 22:52 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-18 17:39:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jeff Weiss 2012-03-09 19:45:34 UTC 
Description of problem:
It's not at all clear to a user exactly what tabs/panels he will get access to when given a particular permission.  See https://bugzilla.redhat.com/show_bug.cgi?id=796964

In the above bug, there are several issues - 1) that some tabs are enabled, such as GPG keys, for seemingly unrelated permissions (Sync Products).
2) Some permissions are enabled completely outside the user-accessible RBAC settings.  Such as, when a user is given a default environment, he automatically gets permissions to register and view systems - even though in the roles UI, he has no permissions.

I think 2) should be eliminated entirely.  If a customer deliberately gives a user no permission, that's exactly what he should have.  Even if he has a default environment, he should not be able to register or view systems.

As for 1) I think there should be tooltips or hovertext or something in the RBAC ui panels explaining exactly what each permission grants.  Otherwise it's very difficult to use fine-grained permissions, since you can't know exactly what will be granted until you try it.

Version-Release number of selected component (if applicable):
Katello Version: 0.2.8-1.git.24.b178f46.el6

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dmitri Dolguikh 2012-09-25 12:29:24 UTC 
I think this warrants a bit of a discussion. 

#1 is a documentation issue, mostly. At least as things stand now, candlepin permits registration and viewing of systems to all consumers. Katello's default permissions reflect that.


#2 is an impedance mismatch between data model and views. You are right that UI should somehow show the relation between roles/permissions and views. I'm not sure hover-over is appropriate for that however, as there could be quite a bit of information there.

We probably need an additional panel that shows a list of accessible pages/tabs/fields that UI updates as changes are made to roles/permissions.
Comment 3 Mike McCune 2014-03-18 17:39:10 UTC 
This bug was closed because of a lack of activity.  If you feel this bug should be reconsidered for attention please feel free to re-open the bug with a comment stating why it should be reconsidered.
Note You need to log in before you can comment on or make changes to this bug.