Bug 801908 - RBAC permissions should be better documented and have fewer surprises
RBAC permissions should be better documented and have fewer surprises
Product: Red Hat Satellite 6
Classification: Red Hat
Component: WebUI (Show other bugs)
Unspecified Unspecified
unspecified Severity medium (vote)
: Unspecified
: --
Assigned To: Mike McCune
Katello QA List
: Triaged
Depends On:
Blocks: 796964
  Show dependency treegraph
Reported: 2012-03-09 14:45 EST by Jeff Weiss
Modified: 2014-11-09 17:52 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-03-18 13:39:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeff Weiss 2012-03-09 14:45:34 EST
Description of problem:
It's not at all clear to a user exactly what tabs/panels he will get access to when given a particular permission.  See https://bugzilla.redhat.com/show_bug.cgi?id=796964

In the above bug, there are several issues - 1) that some tabs are enabled, such as GPG keys, for seemingly unrelated permissions (Sync Products).
2) Some permissions are enabled completely outside the user-accessible RBAC settings.  Such as, when a user is given a default environment, he automatically gets permissions to register and view systems - even though in the roles UI, he has no permissions.

I think 2) should be eliminated entirely.  If a customer deliberately gives a user no permission, that's exactly what he should have.  Even if he has a default environment, he should not be able to register or view systems.

As for 1) I think there should be tooltips or hovertext or something in the RBAC ui panels explaining exactly what each permission grants.  Otherwise it's very difficult to use fine-grained permissions, since you can't know exactly what will be granted until you try it.

Version-Release number of selected component (if applicable):
Katello Version: 0.2.8-1.git.24.b178f46.el6

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Dmitri Dolguikh 2012-09-25 08:29:24 EDT
I think this warrants a bit of a discussion. 

#1 is a documentation issue, mostly. At least as things stand now, candlepin permits registration and viewing of systems to all consumers. Katello's default permissions reflect that.

#2 is an impedance mismatch between data model and views. You are right that UI should somehow show the relation between roles/permissions and views. I'm not sure hover-over is appropriate for that however, as there could be quite a bit of information there.

We probably need an additional panel that shows a list of accessible pages/tabs/fields that UI updates as changes are made to roles/permissions.
Comment 3 Mike McCune 2014-03-18 13:39:10 EDT
This bug was closed because of a lack of activity.  If you feel this bug should be reconsidered for attention please feel free to re-open the bug with a comment stating why it should be reconsidered.

Note You need to log in before you can comment on or make changes to this bug.