To clarify the point above, a space manager can manage space level roles
for any user of the organization. They will not be able to add users to
the space if that user is not yet a member of the space's organization.

I'll see about getting the docs updated to describe these new feature
flags.
These flags enable whether setting org/space roles can be managed by
passing a username instead of a user's guid to cloud controller, which in
effect makes it so that Org Managers and Space Managers can manage roles.
With this change, the CLI no longer needs to do the lookup to UAA (on an
admin only end point) to get user guids.

-Dieu
CF CAPI PM

On Mon, Nov 23, 2015 at 4:24 AM, Voelz, Marco <marco.voelz(a)sap.com> wrote:

Thanks for the clarifications, Dies! :)

On 23/11/15 11:56, "Koper, Dies" <diesk(a)fast.au.fujitsu.com> wrote:

Hi Marco,

With this release of the CLI, Org Managers can assign org and space

roles to users. Also, Space Managers can assign space roles to users in
their org, using the existing `cf set-org-role` and `cf set-space-role`
(and equivalent ‘unset’) commands. This feature was previously only
available to admin users.

The above text reads like Space Managers can assign roles in an Org,

i.e. outside "their" Space, is that true? My assumption was that Space
Managers can assign roles in "their" Space only, while Org Managers can
assign roles in all Spaces in that Org and also create new Spaces in that
Org.



Space Managers can assign **space** roles for in **their** space only.

But, Space Managers can do more than just changing the space roles of the
users already in their space:

They can also assign a space role to a user not yet in their space: This
user will be added to their space and then assigned the space role, with a
single set-space-role command invocation.

This is the realization of the following in the manual:

https://docs.cloudfoundry.org/concepts/roles.html#space-roles

A Space Manager can do the following:

- Add and manage users in the space

Can we please add documentation about the new feature flags in

https://docs.cloudfoundry.org/adminguide/listing-feature-flags.html to
clarify what exactly is enabled/disabled by them? And it seems like the new
flags are enabled by default



I believe they are, but the flags are CC flags, not CLI flags, so please
check with Dieu.

Related to the above, as an Org Manager creating an org using `cf

create-org`, you will now be assigned Org Manager role in it
automatically so you can start managing it straight away.

Does that mean Org Managers can create Organizations now? Or should this

rather be `cf create-space` inside the Org you are managing as Org Manager?
Is this related to the feature flag `user_org_creation`? Ot should this
rather be about Org Managers creating a Space in "their" Org?



Already, when you create a space, you are automatically assigned
SpaceManager and SpaceDeveloper roles in it automatically.

In this CLI release we extend the equivalent functionality to creating an
org.

We have not changed anything about the ability to create organizations or
not. I believe non-admins can create orgs only if feature flag
`user_org_creation` is enabled, which is disabled by default.



I’m not too familiar with the `user_org_creation` feature itself, but now
I think “as a non-user creating an org” may have been a more accurate
description to use in my release notes.



- The version reported by `cf -v` is now SemVer <http://semver.org/>
compliant and easier to understand by leaving out the build time component: cf
version 6.14.0+2654a47-2015-11-18

I don't see how including the build time component is making it non

SemVer compliant, see Point #10, which explicit names examples such as 1.0.0-alpha+001,
1.0.0+20130313144700, 1.0.0-beta+exp.sha.5114f85. I'm not saying we
should keep it if we don't need it – just that removing it would not have
been necessary to comply with SemVer.



We did two things with the version, 1) make it SemVer compliant, 2) make
it easier to understand.

Previous version : 6.12.4-b4b6af1-2015-09-18T10:55:12+00:00

This version : 6.14.0+2654a47-2015-11-18



The SemVer compliance is in the `+` and the lack of `:` and `+` after the
initial `+`.

The easier to understand part is the shortening of it, and the omission
of digits nobody should care about:

The date is useful for users to get a quick idea of how recent their cli
is by viewing the version and not having to then visit our release page to
confirm what version number we are at; They see the date and go, “hey, it’s
three months old, maybe I should check if there is a new version before I
report the bug I think I just found”. The hours, minutes, seconds, TZ are
just noise.



Thanks for asking!



Cheers,

Dies Koper
Cloud Foundry CLI PM



*From:* Voelz, Marco [mailto:marco.voelz(a)sap.com <marco.voelz(a)sap.com>]
*Sent:* Monday, November 23, 2015 8:22 PM
*To:* Discussions about Cloud Foundry projects and the system overall.
*Subject:* [cf-dev] Re: CF CLI v6.14.0 Released Today



Dear Dies,



thanks for the new release, I'm really happy about the RBAC part. Could
you maybe have a look at my question about details in the release notes
below:



On 19/11/15 02:19, "Koper, Dies" <diesk(a)fast.au.fujitsu.com> wrote:

*RBAC for Org and Space Managers*



With this release of the CLI, Org Managers can assign org and space roles
to users. Also, Space Managers can assign space roles to users in their
org, using the existing `cf set-org-role` and `cf set-space-role` (and
equivalent ‘unset’) commands. This feature was previously only available to
admin users.



The above text reads like Space Managers can assign roles in an Org, i.e.
outside "their" Space, is that true? My assumption was that Space Managers
can assign roles in "their" Space only, while Org Managers can assign roles
in all Spaces in that Org and also create new Spaces in that Org.



Note that this feature requires the target CF release to be v219 (CC API
v2.37.0) or higher, and the feature flags ‘set_roles_by_username’ and ’
set_roles_by_username’ to be enabled (use `cf feature-flags` to check).



Can we please add documentation about the new feature flags in
https://docs.cloudfoundry.org/adminguide/listing-feature-flags.html to
clarify what exactly is enabled/disabled by them? And it seems like the new
flags are enabled by default:
https://github.com/cloudfoundry/cloud_controller_ng/blob/965dbc4bdf65df89f382329aef39f86a916b3f05/app/models/runtime/feature_flag.rb#L16-L17
?



Related to the above, as an Org Manager creating an org using `cf
create-org`, you will now be assigned Org Manager role in it
automatically so you can start managing it straight away.



Does that mean Org Managers can create Organizations now? Or should this
rather be `cf create-space` inside the Org you are managing as Org Manager?
Is this related to the feature flag `user_org_creation`? Ot should this
rather be about Org Managers creating a Space in "their" Org?



*Other Features:*

- The version reported by `cf -v` is now SemVer <http://semver.org/>
compliant and easier to understand by leaving out the build time component: cf
version 6.14.0+2654a47-2015-11-18



I don't see how including the build time component is making it non
SemVer compliant, see Point #10, which explicit names examples such as 1.0.0-alpha+001,
1.0.0+20130313144700, 1.0.0-beta+exp.sha.5114f85. I'm not saying we
should keep it if we don't need it – just that removing it would not have
been necessary to comply with SemVer.



*New Plugins:*

- *Manifest Generator Plugin *
*https://github.com/ArthurHlt/plugin-cf-manifest-generator*
<https://github.com/ArthurHlt/plugin-cf-manifest-generator>



Nice!



Thanks and warm regards

Marco