Project

General

Profile

Bug #5451

permissions design needs review

Added by Timothy Zingelman over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Start date:
02/15/2014
Due date:
% Done:

0%

Estimated time:
Duration:

Description

The permissions to edit a CI based on being an admin of the CI are easy to subvert, since anyone can edit the cluster relationships. Holding the cluster relationship editing to the same restrictions is not a viable option however, because we run into a chicken and egg situation where someone is responsible for a system, but that is not reflected in CMDB yet, and they can't fix it. Requiring human approval/intervention in this process would by a huge bottleneck and a significant dis-incentive to keeping CMDB correct & complete.

One option is to keep the CI editing permissions checking in place for the non-relationship aspects; to allow any and all editing of relationships by anyone including the now blocked adding and removing direct (non-cluster) relationships, but adding an email notification to the current primary sysadmin(s) as a protection against unwanted changes.



Also available in: Atom PDF