From a4d0371638111a8fda0d360e8892cc4f1d253338 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 6 Dec 2024 13:12:34 +0100 Subject: [PATCH] Add information about Default role and stacking roles https://community.theforeman.org/t/organizing-access-in-foreman-seems-overly-tedious/40278/11 --- ...ices-for-role-based-access-control-in-project.adoc | 6 +++++- .../modules/con_creating-and-managing-roles.adoc | 11 ++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/con_best-practices-for-role-based-access-control-in-project.adoc b/guides/common/modules/con_best-practices-for-role-based-access-control-in-project.adoc index 87f14322ee5..b4f94a05b6b 100644 --- a/guides/common/modules/con_best-practices-for-role-based-access-control-in-project.adoc +++ b/guides/common/modules/con_best-practices-for-role-based-access-control-in-project.adoc @@ -6,9 +6,13 @@ Define the subset of the {Project} infrastructure that you want the role to acce Think of the responsibilities of the role and how it differs from other roles. * Use predefined roles whenever possible: -{Project} provides several sample roles that can be used alone or as part of a role combination. +{Project} provides several sample roles that you can use. Copying and editing an existing role can be a good start for creating a custom role. +* Adopt a granular approach to user role management: +Define roles with specific, well-scoped permissions. +Note that each user can have multiple roles assigned and that permissions from these roles are cumulative. + * Add permissions gradually and test the results: When creating a custom role, start with a limited set of permissions and add permissions one by one, while testing continuously. Ensure to test your custom role to verify that it works as intended. diff --git a/guides/common/modules/con_creating-and-managing-roles.adoc b/guides/common/modules/con_creating-and-managing-roles.adoc index 6d9e51224f5..d7f602c6e0a 100644 --- a/guides/common/modules/con_creating-and-managing-roles.adoc +++ b/guides/common/modules/con_creating-and-managing-roles.adoc @@ -16,7 +16,16 @@ For a list of these roles, see xref:Predefined_Roles_Available_in_{project-conte endif::[] You can also configure custom roles. -Apart from the administrator role, the following types of roles are common: +[NOTE] +==== +One of the predefined roles is the *Default role*. +{Project} assigns the *Default role* to every user in the system. +By default, the *Default role* grants only a limited set of permissions. +Be aware that if you add a permission to the *Default role*, every {Project} users will gain that permission. +Assigning a different role to a user does not remove the *Default role* from the user. +==== + +The following types of roles are commonly defined within various {Project} deployments: Roles related to applications or parts of infrastructure:: For example, roles for owners of {client-os} as the operating system as opposed to roles for owners of application servers and database servers.