You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users with admin_role to a project do not have permission to see all the job templates that employ that project. Yet, organization auditor_role will get permission to view those templates.
If we were to add auditor_role to projects, then we would be able to surface this mechanism to users.
ENVIRONMENT
AWX version: 4.0.0
AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
Ansible version: X.Y.Z
Operating System:
Web Browser:
STEPS TO REPRODUCE
Create a project, grant userA admin_role, grant other users use_role
Have those other users create new job templates with project
EXPECTED RESULTS
Expect userA to see job templates created with that project
Corresponding to this change, we should offer "audit" entry in user_capabilities for projects, avoiding extra legwork by the client to determine who can and cannot attach a notification template.
It would also make the permissions rules for Notification Templates more simply explainable. Auditor role will be necessary for the resource, notification_admin_role for the notification template, and if auditor role is not present for the resource, read role will suffice.
ISSUE TYPE
SUMMARY
Users with admin_role to a project do not have permission to see all the job templates that employ that project. Yet, organization auditor_role will get permission to view those templates.
If we were to add
auditor_role
to projects, then we would be able to surface this mechanism to users.ENVIRONMENT
STEPS TO REPRODUCE
Create a project, grant userA
admin_role
, grant other usersuse_role
Have those other users create new job templates with project
EXPECTED RESULTS
Expect userA to see job templates created with that project
ACTUAL RESULTS
userA cannot see any job templates, or jobs.
ADDITIONAL INFORMATION
#3629 is my reason for filing this.
Corresponding to this change, we should offer "audit" entry in
user_capabilities
for projects, avoiding extra legwork by the client to determine who can and cannot attach a notification template.It would also make the permissions rules for Notification Templates more simply explainable. Auditor role will be necessary for the resource,
notification_admin_role
for the notification template, and if auditor role is not present for the resource, read role will suffice.Ping @wenottingham @mabashian
The text was updated successfully, but these errors were encountered: