ACLs for Parameters need to be more fine grained
Currently, a user cannot delete a parameter unless he has permission to delete the whole host. That's not going to work in our infrastructure, and I suspect the same for others too. I want to give lower levels of support the ability to modify a host (including creating or destroying parameters) but not to delete the whole host (along with it's reports, which are valuable).
Furthermore, it probably makes sense to have a similar separation for the classes tab as well - I'd really like to restrict one level of support to parameters only, and the next level to editing (but not deleting) the whole host, and the top level has full access. However, only the parameter ACl is really needed right now.
I'm happy to have a go at this, so this feature request is mainly to remind me :)
refs #1324 remove debugging code
#1 Updated by Greg Sutcliffe about 11 years ago
- Assignee set to Greg Sutcliffe
- Target version set to 1.0
- % Done changed from 0 to 70
This is ready for merge (tests pass cleanly), but I'm going to roll #1484 into this, so hold off until I get that done.
#2 Updated by Greg Sutcliffe about 11 years ago
- Status changed from New to Closed
- % Done changed from 70 to 100
Applied in changeset 54358a76e4fc7355c51404f6888cb66600a27fdc.
fixes #1324 - Separate permssions on hosts from permissions for objects within hosts.
This allows a user to be granted permission to edit the host (and so change the group or proxy) but not, for example, edit the parameters
This could probably be extended further if necessary.