Role permission inconsistencies

[YvonneW]

While going through the role permissions observed the following:

Certificate Management

1. Observation: There are two groups of permission dedicated for certificate management.

   • device-mgt >> admin >> certificates : Has permissions to 'add', 'delete', 'details', 'verify', and 'view'
   • device-mgt >> certificates : Has permission to 'manage'.

2. Analysis: Looks like there are two basic user personas we are trying to tackle with this permission model:

   • Admin : related to device-mgt >> admin >> certificates
   • Generic user : device-mgt >> certificates

3. Questions:

   • Q1: If we are associating, manage to generic users, why haven't we granularized (i.e., ability to grant permissions to add, delete, details, verify, and view certificates)?
   • Q2: Does 'manage' indicate the permission to add, delete, details, verify, and view as well? If 'Yes' isn't this more appropriate to an 'Admin' user, rather than a generic user?
   • Q3: What are the functionality associated with 'view,' 'details' and 'verify'?

Device Type Management

1. Observation: There are three groups of permission dedicated for certificate management.

   • device-mgt >> admin >> device-type : The permission it self is 'device-type'
   • device-mgt >> device-type : Has permission to 'add'
   • device-mgt >> devicetype : Has permissions to 'deploy

2. Analysis: Mainly two user personas associtated with the permission model:

   • Admin : related to device-mgt >> admin >> device-type
   • Generic user : device-mgt >> device-type, and device-mgt >> devicetype

3. Questions:

   • Q1: What are the associated functionality for the 'device-mgt >> admin >> device-type' permission?
   • Q2: Why are we having to separate groups to grant 'add', and 'deploy' permissions?

Group Management

1. Observation: There are two groups of permission dedicated for group management.

   • device-mgt >> admin >> groups : Has permission to 'view'
   • device-mgt >> groups : Has permissions to 'add', 'devices', 'remove', 'roles', 'share', 'update', and 'view'.

2. Analysis: Mainly two user personas associtated with the permission model:

   • Admin : related to device-mgt >> admin >> groups
   • Generic user : device-mgt >> groups

3. Questions:

   • Q1: Why are we having a dedicated check box under admin simply to view groups?
   • Q2: Why are we having 'add', 'remove', and 'view' under device-mgt >> groups >> devices ?
   • Q3: Why are we only having 'view' under device-mgt >> groups >> roles?

Device Management

1. Observation: There are two groups of permission dedicated for device management.

   • device-mgt >> device : Has permission to 'subscribe' under the subcategory 'api'
   • device-mgt >> devices : Has the subcategories: 'any device', 'change status', 'disenroll', 'enroll', and 'owning-device'.

2. Analysis: Looks like there is only one user persona applicable for both permission structures.

3. Questions:

   • Q1: Why are we having two separate permission structures for device related functionality?
   • Q2: Why do we have to place 'subscribe' under 'api' as a trivial category? Is it possible/wrong to depict the permission as 'device-mgt >> device >> 'subscribe api' ?

Notifications Q1: Is it possible/wrong to indicate 'view notifications', instead of 'device-mgt >> notifications >> view', as the current structure requires a user to tick off two checkboxes to grant the privilege?

Authorization Q1: Is it possible/wrong to indicate 'verify authorization', instead of 'device-mgt >> authorization >> verify'?

Application Management Q1: Is it possible/wrong to indicate 'manage applications', instead of 'device-mgt >> applications >> manage'?

Configuration Management Is 'Configuration Management' as same as 'platform-configurations' ?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity.