Forum GLPI-Project

MHI

Member

From: Germany

Registered: 2007-06-28

Posts: 367

Entity and Profile rights should be entity based

I do have the following problem when it comes to administrating entities and profiles as those ones are handled as "global rights". The situation is that the local IT staff in every location should be able to create subentities for their location, like department, cost center, etc. For this I have to assign "write rights" to their profile.
Entity creation itself seems to be entity based as they are only able to create entities under or on the same level they have been assigned to.
The main problem is now that those users can add themselves or anybody else to other entities where they should not have access to.
Are there any plans to make those things entity based as well ?
This would release some pain from the central admin, who otherwise needs to create all of such small requests which could be easily done by the local IT, if everything is locked down to their entity, like it has been done with users and groups.

---

RedHat Enterprise Linux 5 ES 32Bit x86
PHP 5.1.6 -- Apache 2.2.3
MySQL 5.0.45  --  GLPI 0.72.4 -- OCS 1.32 -- Home brewed MS CM import script

JMD

GLPI - Lead

Registered: 2004-09-13

Posts: 9,180

Website

Re: Entity and Profile rights should be entity based

Entity are not group , this is a specific concept.

I'don't think that is a good idea to delegate this right.

Management of entity would be a  root admin right.

Manage entity is a complex and difficult task. It would be better to give it to the root admin.

---

JMD / Jean-Mathieu Doléans - Glpi-project.org - Association Indepnet
Apportez votre pierre au  projet GLPI   : Soutenir

MHI

Member

From: Germany

Registered: 2007-06-28

Posts: 367

Re: Entity and Profile rights should be entity based

I can agree to that one, but the concept then was not consequently followed as the "entity write" security flag in a profile is more a mixture of a global and entity right. As said a user who is assigned to one entity, but also has the ability to "write entity" can only add entities on the same or child level from the entity he has been assigned to. If "write entity" is a global profile right the user needs to be able to create entities right below the "root entity", which he can't. On the other hand he can see and add himself or others to all other existing entities.
Hope this explantion is somehow understandable, as it is not easy to explain and mayeb now it's more clear why I asked if there is a way to check for the users entities he has been assigned to and just displays them for modifictation, which means to make the "entity write" security option, entitiy based.

---

RedHat Enterprise Linux 5 ES 32Bit x86
PHP 5.1.6 -- Apache 2.2.3
MySQL 5.0.45  --  GLPI 0.72.4 -- OCS 1.32 -- Home brewed MS CM import script

remi

GLPI-DEV

From: Champagne

Registered: 2007-04-28

Posts: 7,127

Website

Re: Entity and Profile rights should be entity based

First, I agree with JMD, I don't think is a great idea to delegate entity creation.

But, I've made some tests and I don't see how you can give "upper" right to users :
- you can't assign a profile with more rights than yours
- you can't assign a profil on a entity you doesn't manage

Tests made with the super-admin profil on a child entity.

++

---

Dév. Fedora 29 - PHP 5.6/7.0/7.1/7.2/7.3/7.4 - MariaDB 10.3 - GLPI master
Certifié ITILv3 - RPM pour Fedora, RHEL et CentOS sur https://blog.remirepo.net/

remi

GLPI-DEV

From: Champagne

Registered: 2007-04-28

Posts: 7,127

Website

Re: Entity and Profile rights should be entity based

I've answer too quickly

You can't assign upper right from the User form, but you can from the Entity form (User tab).

++

---

Dév. Fedora 29 - PHP 5.6/7.0/7.1/7.2/7.3/7.4 - MariaDB 10.3 - GLPI master
Certifié ITILv3 - RPM pour Fedora, RHEL et CentOS sur https://blog.remirepo.net/