ezekg
commented
11 months ago The concept of banning a group, although it seems like it makes sense, upon further thought, it doesn't. What happens if a group consists of only machines? Machines can't be banned, so what happens to the machines of the banned group? Does banning a group retroactively ban/suspend all resources in that group, and their ancestors? E.g. if a machine is a part of a banned group, but its license isn't, is the license banned by association? That sounds overly complex and confusing, and requires the system to peek into all groups of all children to determine whether or not a given resource is in a banned group.
Really, I think this is a symptom of both not supporting bulk operations (#231), as well as only allowing a single user per-license (#534). I'm wary of introducing bulk operations, because of the authz implications, but also in regards to performance and code complexity. I'd rather avoid bulk operations altogether because of this.
So a better solution here, I think, would be to move forward with supporting multiple users per-license (#534). That way, a single license can be shared across a company, allowing you to suspend the license for everybody (e.g. non-payment), but also ban individual users if needed (e.g. employee off-boarding).
As it currently stands, the only solution would be to suspend each license or ban each user individually.
Apologies if I'm missing something in the API, but I'm not seeing a clear way to achieve the following scenario:
I'd ideally want to do something like:
A potential workaround might be to represent the customer company as a keygen User instead of a Group, so a single User "ban" API request would block all of the licenses. But, employees wouldn't be able to manage their own licenses/machines because they couldn't correspond to a keygen User.
Thanks in advance for any suggestions/help!