-
Notifications
You must be signed in to change notification settings - Fork 915
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC]: Seeking details on the Workspace experience & access control #4615
Comments
I think the concept of organizing my personal space on the application is key here, and it sounds great! |
That's a great point. I'd be curious how the sharing concept would work, and if it could fix the issue of not being able to share objects across tenants without copy-pasting json. |
I have a design proposal for this workspace access control and posted it at #4633 , please feel free to comment on it |
Thank you for putting together the proposal. A replacement for Tenants was discussesd previously in opensearch-project/security#1869 and there may be some discussion from that that may aid direction here. My main issue with the previous proposal seemed to be around the lack of compartmentalisation, that is being able to split up my visualisations into different places rather than seeing them all jumbled up in one big list. It sounds like Workspaces as proposed would keep the same sort of compartmentalisation that Tenants provides so that sounds good to me. |
FYI @mnkugler it looks like Workspace would be in a good position to handle this feature request [1] to expose more access control information to users. |
Workspace admin can config which features are visible in the workspace but it's different than show/hide menu based on user permissions because everyone in the workspace still see the same menu entries. I guess the challenge is how to map plugin permissions with menu entries. |
Just checking in here. opensearch-project/security-dashboards-plugin#857 was closed to refer to this issue, however does the design proposal for workspace access control (#4633) address the need for restricting access to some parts of OpenSearch Dashboards for non-admins? It seems more focused on managing access to saved objects, but I could be wrong |
The idea of “Projects” or “Workspaces” was recently posted in Dashboards. This is a request for feedback and input on the details for the Workspace concept.
Workspaces help organize your work, library items/saved objects, and tools, and is a convenient way to enable sharing and collaboration between users. It’s also a way to customize the tools that are available, so that when users switch between workspace, they have a focused view of the features and tools that are relevant for the selected workspace.
Actions you should be able to do with workspaces and objects:
Sharing experience
For sharing permissions, depending on your credentials, you can assign permissions based on individual users, or user groups. Dashboard Admins will have permissions to do anything in dashboards and configure permissions for other users. Workspace admins can configure the user permissions and the settings, as well as have CRUD permissions for workspaces. As a Dashboards user, you will be able to switch between workspaces as well.
Open question: How can we handle access control if we abstract the saved object repository?
Today we have a target architecture for abstracting saved objects in Dashboards so that we can decouple an OpenSearch-Dashboard cluster from an OpenSearch cluster.
However this target architecture lacks an explanation of how to handle access control for saved objects. Today for a user who depends on the security dashboard plugin, the tenant concept handles this in a rough way, with some gaps. How can we modify our architecture to handle this in a more straightforward way, with access controls built into the architecture, rather than as a side effect of tenants?
The text was updated successfully, but these errors were encountered: