Project

General

Profile

Feature #3193

Allow compartmentalisation/filtering of permissions by Organistion/Location

Added by Ken Coar about 6 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Authorization
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

It would be nice if a user in an organisation could be granted 'edit user' access (etc.) solely for other users within his organisation. (Ditto for location.)

As with the usual separation of powers model, the permission should not allow the privileged user to elevate any others to his own level. (E.g., in IRC, you typically can only grant your-access-minus-one to others.)

With a limited number of administrators, the ability to delegate this sort of self-maintenance to organisations would be extremely useful.

Perhaps this can be done as simply as adding the organization and location bits to the filter list on the user profile page.


Related issues

Related to Foreman - Feature #812: cant assign roles to groups, just to usersClosed2011-03-31
Blocks Foreman - Tracker #4552: New permissions/authorization system issuesNew

Blocked by Foreman - Bug #5929: Taxonomy selectors do not obey assign_$taxonomy permissionsClosed2014-05-26

History

#1 Updated by Marek Hulán over 5 years ago

  • Related to Feature #812: cant assign roles to groups, just to users added

#2 Updated by Marek Hulán over 5 years ago

  • Difficulty deleted (easy)

Delegation on taxonomy level should work in new permission system. However limiting of assigned permissions can be tricky because user can have different permissions in different taxonomies. Therefore removing easy difficulty.

#3 Updated by Dominic Cleal over 5 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Marek Hulán
  • Target version set to 1.9.0

#4 Updated by Dominic Cleal over 5 years ago

We think this is implemented through #812 but it requires further verification and testing, it may need followup work.

#5 Updated by Dominic Cleal over 5 years ago

  • Status changed from Ready For Testing to New
  • Assignee deleted (Marek Hulán)
  • % Done changed from 0 to 80

#6 Updated by Dominic Cleal over 5 years ago

  • Blocks Tracker #4552: New permissions/authorization system issues added

#7 Updated by Dmitri Dolguikh over 5 years ago

  • Target version changed from 1.9.0 to 1.8.4

#8 Updated by Dmitri Dolguikh over 5 years ago

  • Target version changed from 1.8.4 to 1.8.3

#9 Updated by Dmitri Dolguikh over 5 years ago

  • Target version deleted (1.8.3)

#10 Updated by Marek Hulán over 5 years ago

  • Blocked by Bug #5929: Taxonomy selectors do not obey assign_$taxonomy permissions added

#11 Updated by Marek Hulán over 5 years ago

#5929 should be the last missing part

The role to manage users in other orgs should include two filters, first granting *_users permissions limited to specific org and second allowing view_organizations and assign_organizations (filtered for ids of specific orgs).

#12 Updated by Marek Hulán over 3 years ago

  • Status changed from New to Resolved

I think this is implemented for a while, please let us know if there's something missing.

Also available in: Atom PDF