Add GUI for restrictions

[dgoetz]

As a follow up on #103 and #98 I would like to have a GUI element to define restrictions.

Depending on the environment perhaps not all users/groups/roles should be allowed for sharing, so adding something like it is already implemented for navigation items could be useful. Also administrative access overriding all restrictions is something I see as a requirement.

An real world example:

• The Icinga-Admin would like to be able see and edit all business processes to help the admins
• The Admin of one toolstack would like to be able see and edit business processes for its tools, same goes for others
• The Manager of some admin teams would like to see and perhaps simulate business processes of those teams but not all
• One team would like to see business process of another (and use the nodes defined by them) as the service they manage depends on the service of the other team

[nilmerg]

Since #200 is closed the permission businessprocess/showall circumvents all restrictions. Each role also allows to restrict configuration access based on prefixes. Though, only one prefix per role as of yet.

So:

• Use the permission businessprocess/showall for that
• Configure a role for the toolstack with a specific prefix
• Add those managers to the above mentioned roles
• Again, add those teams to the above mentioned roles

Solved?

[dgoetz]

Not completely as I also would like to be able to use the in #98 mentioned fine-granular permissions in the GUI.

[nilmerg]

Ah, thanks. The relevant quote:

The correct spelling for those properties is AllowedUsers, AllowedGroups and AllowedRoles. Their value needs to be a comma-separated list. As soon as there is one of those headers in a process config file, only users fitting any of those filters, the one listed as Owner and users with wildcard permissions are allowed to see the process.

It would have been easy to add form fields for the above, but once we planned doing so immediately other questions arose. When you are allowed to share, to whom should you be able to do so? Should you be allowed to see those users, groups or roles? Should you be allowed to see your own ones? How do you hinder other users from spamming your menu? Should we also add the possibility to share it in a read-only and in a read-write way? Only to specific users?

As this started to become a huuuuge discussion, we decided to defer this feature. Still, don't fear to use those restrictions by manually setting them. They are supported and will not be broken in a future release. At least not without a defined migration path in case we eventually decide to change everything ;-)