Warnings, Restrictions, & Centralized Administration #97780
Labels
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
8 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: blender/blender#97780
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
With more organizations adopting Blender there is increasing need to simplify the deployment, maintenance, and administration of the program in large installations. This plan is meant to be a number of incremental steps that, once approved, I could implement myself. I have about 10 years of prior experience as a Domain Administrator on a network of approximately 600 users and 1000 computers in a Windows domain, and am familiar with the pitfalls and best practices.
Improved Warnings
This doesn't seem related, but is. I would like us to implement something like D10955: UI: Improved Operator Confirmations, which allow us to make warning dialogs much more easily than now that are also more informative, more customizable, and more differentiable. This way we can define many more than we have now to cover almost any situation where some users might want warnings, like when overwriting existing files or when files differ in version. We can define more because we'd also add the ability for users to easily enable/disable them.
Move Warning Configurations from Keymap to Settings
Right now the configuration of warnings is quite obscure, buried in the keymaps as an attribute of the entry. Most users will not be able to change the current warnings. I'd like to make a "Warnings" section in Settings with checkboxes to allow quick enabling and disabling of warnings.
Expose Factory Settings
Right now the default startup file and the factory preferences are only stored inside the executable. I'd like to optionally expose those for customization. Perhaps add a command-line argument to the executable that extracts copies of the embedded "default.blend" and "prefs.blend" to the install folder. These would be used instead, if present, in the same way that you can now override the splash image with a custom "splash.png".
In a large deployment you would put the blender installation folder in a shared read-only location that everyone would launch. That way you only have to install it once, not on every workstation. With this change you could, for example, change the fonts directory to be a shared network location. Change that in this one place and it becomes the default for everyone.
Add Restriction Settings
Like the "Warnings" section in Settings, I'd like to add "Restrictions". So checkboxes that, once enabled, restrict the user from doing some operations. For example to not allow the installation of addons. In a single-user installation this would not be used. But imagine an administrator setting these, along with warnings, and placing a "prefs.blend" file in the shared read-only network location of the Blender installation. It now means everyone on the network has the same defaults, warnings, and restrictions.
Project Settings
As another layer of granularity, allow putting these shared defaults and preference files within the folder path of blend files. So while loading any "blend" file we also look in its folder and parent folders for defaults and prefs. This way you can have per-project settings.
Platform Enhancements
During startup we are loading settings for settings, warnings, and restrictions. Once this is done we could also call platform-specific routines if they exist, like checking settings in the Windows Registry for example. This is all that is required to support Group Policy, so an Administrator can set a path for all user, allow some groups to add addons, and only leaders to change restrictions, etc.
Changed status from 'Needs Triage' to: 'Needs Developer To Reproduce'
Added subscriber: @Harley
Added subscriber: @manuelgrad1
Blenderartists discussion involving a request for production-specific restrictions/warnings: https://blenderartists.org/t/what-is-the-most-bat-guano-insane-thing-in-blender-that-you-cant-believe-they-havent-fixed-yet/1300129/247
Added subscriber: @ManuelGrad
Added subscriber: @RobertS
Note sure if this is described using a wording I don't understand (not a native English speaker or an admin, really), so I just want to say that as I'm contemplating deploying Blender where I work (small deployment scale of 5-25 people, but who are not traditional 3D artists), it would be ideal if I could place the installer on one of our shared network folders, and have anyone who uses it automatically transfer a settings file, startup file, asset library locations, theme and most importantly plug-ins!
(In the meantime, I'm going to try a Powershell script to accomplish this, basically just copying a backup of my own %appdata%\Blender Foundation\Blender folder contents, perhaps.)
Added subscriber: @AlexeyAdamitsky
Added subscriber: @EAW
Added subscriber: @brecht
Regarding "Expose Factory Settings", "Add Restriction Settings" and "Project Settings", for me there is a bigger picture. There are 5 potential levels of preferences:
Having studio or project levels completely replace the Blender defaults and provide additional add-ons/assets is relatively straightforward in some way. There it's mainly a question of how to define it: using environment variables, files in the Blender install folder, putting files in the project folder (see D16288), some standard directory next to the regular users config files. Adding ability to override the default prefs.blend and startup.blend + revisiting how environment variables like BLENDER_SYSTEM and BLENDER_USER work I think could be a good direction here and similar to how some other apps work.
The user level less clear. We already know where to store it, but you need to either have an override mechanism, or a split up the preferences in some way that makes sense for users to be able to change some parts completely, or not change some parts at all. I think we need to look at it that way more than as "restriction", it's about where the data is stored.
An override mechanism is probably too complex a solution for users and developers in practice, but splitting things up in some natural way is also not obvious. We need more concrete examples of what would make sense to do here.
It may also be that there is some relatively small fixed set of settings that makes sense to override at the studio or project level, and give those special treatment rather than making a completely general system. For example an OpenColorIO config or enforcing of file/datablock naming conventions seems to naturally fit at the project level and it's not obvious this needs to exist at other levels.
Some data is additive, like installed add-ons or asset libraries. All levels can be added together for that case, though making it actually work requires changes as the list of asset libraries and which add-ons are enabled is stored in the single prefs.blend.
Another point to make is that a lot is possible through Python scripting. It's not an ideal solution, but you can have scripts running on load that ensure certain preferences are set, ensure a specific set of asset libraries is added, etc. With some utility module and documentation it could be quite powerful.
About the other points:
Added subscriber: @LazyDodo
while I'm not against supporting group policies, there has to be a large stake holder interested in the feature for it to thrive and get to a mature state, I can't remember anyone even asking for it in my time with blender. I'm not entirely convinced "build it and they will come" applies to this use-case.
Added subscriber: @mod_moder
I seem to have seen requests for more group work in the company, in RCS. But there it was more likely than that of managing the level of access to different parts of the project.
Although I mention Windows Group Policies here, it really isn't a big part of it and no big deal if not done. I think my biggest point about it is that once the other things are done properly, adding support for Group Policies is very trivial.
A concrete step here could be to introduce the following environment variables:
BLENDER_SITE_RESOURCES
BLENDER_SITE_CONFIG
BLENDER_SITE_SCRIPTS
BLENDER_SITE_DATAFILES
Files in these directories would be read-only for Blender, and would override defaults (startup.blend and prefs.blend) or add to (add-ons, keymaps, HDRIs, ..) the
BLENDER_SYSTEM
files.I don't know if "site" is the best terminology, I've seen that term used for similar purpose but have not checked if there is something more standard.
There have also been proposals in the past to make
BLENDER_USER
environment variables a list of paths to achieve the same purpose, though I think it's good to have a distinction between read-only directories and user directories where Blender writes.BLENDER_SYSTEM
also can't be used for that purpose without breaking compatibility or being inconvenient, because that currently is the the path to the files bundled with the Blender install.BLENDER_SITE
variables could be a list of paths however. I'm not sureBLENDER_SYSTEM
is really that useful in practice with current behavior at all and maybe had (some of) the same use cases asBLENDER_SITE
behind it, but probably not worth breaking how that works.Maybe we can provide other mechanism for such site paths for those who don't like to deal with environment variables, some standard location or a path specified in the user preferences. But that can be considered and added once the basic system is in place.