Back to bug 1014219
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Jakub Cechacek | 2013-10-01 14:28:18 UTC | Summary | RBAC: Control element visibility for users with Multiple scoped roles | RBAC: Control element visibility for users with multiple scoped roles |
| Heiko Braun | 2013-10-01 15:29:37 UTC | Status | NEW | ASSIGNED |
| Link ID | JBoss Issue Tracker HAL-238 | |||
| Jakub Cechacek | 2013-10-03 08:08:01 UTC | CC | jdoyle | |
| Flags | needinfo?(jdoyle) | |||
| John Doyle | 2013-10-03 08:55:42 UTC | Flags | needinfo?(jdoyle) | |
| Ladislav Thon | 2013-10-16 09:21:54 UTC | CC | lthon | |
| Lucas Costi | 2013-10-17 01:45:08 UTC | Doc Text | Cause: Consequence: Workaround (if any): Results: | |
| Doc Type | Bug Fix | Known Issue | ||
| John Doyle | 2013-10-17 02:40:09 UTC | Doc Text | Cause: Consequence: Workaround (if any): Results: | Cause: In some cases users assigned to multiple roles will see operations in the console that they do not have access to perform. For instance a user with roles "host-master-administrator" and "host-slave-monitor" should be able to see control elements (such as "Add" button on server configurations page) only in context of host slave, when operating in context of host master this button should not be visible but is. Consequence: Operations that are visible but should not be will fail because proper access control is enforced in the execution of the operation. There is no security violation. Workaround (if any): None Results: |
| mark yarborough | 2013-10-21 12:44:32 UTC | Target Release | --- | EAP 6.3.0 |
| CC | myarboro | |||
| Flags | needinfo?(jdoyle) | |||
| John Doyle | 2013-10-21 16:08:18 UTC | Flags | needinfo?(jdoyle) | |
| Ladislav Thon | 2013-10-21 16:36:09 UTC | CC | jcechace | |
| Flags | needinfo?(jcechace) | |||
| Jakub Cechacek | 2013-10-22 06:57:59 UTC | CC | rdickens | |
| Flags | needinfo?(jcechace) | needinfo?(rdickens) | ||
| Harald Pehl | 2013-11-20 16:17:34 UTC | CC | hpehl | |
| Assignee | hbraun | hpehl | ||
| Scott Mumford | 2013-12-02 01:55:43 UTC | CC | smumford | |
| Doc Text | Cause: In some cases users assigned to multiple roles will see operations in the console that they do not have access to perform. For instance a user with roles "host-master-administrator" and "host-slave-monitor" should be able to see control elements (such as "Add" button on server configurations page) only in context of host slave, when operating in context of host master this button should not be visible but is. Consequence: Operations that are visible but should not be will fail because proper access control is enforced in the execution of the operation. There is no security violation. Workaround (if any): None Results: | It has been reported that in this release of JBoss EAP 6 some users assigned to multiple roles will see operations in the console that they do not have access to perform. For exaple; a user with roles *host-master-administrator* and *host-slave-monitor* should be only able to see control elements (such as the *Add* button on the server configurations page) in context of host slave. This button should not be visible when operating in context of host master (however it is). Operations that are incorrectly visible will fail if attemted as the correct access control is enforced in the execution of the operation. There is no security violation. No workaround available for this issue at the moment however it will be resolved in a future release of the product. | ||
| Flags | needinfo?(rdickens) | |||
| Kabir Khan | 2014-03-06 16:40:27 UTC | CC | kkhan | |
| Harald Pehl | 2014-03-12 14:35:25 UTC | Depends On | 1074493 | |
| Harald Pehl | 2014-03-12 14:37:20 UTC | Target Milestone | --- | DR4 |
| Harald Pehl | 2014-03-13 11:22:25 UTC | Target Milestone | DR4 | DR5 |
| John Doyle | 2014-03-13 15:33:51 UTC | CC | jdoyle | |
| Harald Pehl | 2014-03-14 01:24:49 UTC | Status | ASSIGNED | POST |
| Harald Pehl | 2014-03-20 14:00:55 UTC | Status | POST | MODIFIED |
| Paul Gier | 2014-03-20 21:27:06 UTC | Status | MODIFIED | ON_QA |
| Jakub Cechacek | 2014-03-21 10:03:02 UTC | Status | ON_QA | ASSIGNED |
| Harald Pehl | 2014-03-23 11:02:13 UTC | Status | ASSIGNED | POST |
| Kabir Khan | 2014-04-04 15:37:49 UTC | Status | POST | ON_QA |
| Target Milestone | DR5 | DR6 | ||
| Jakub Cechacek | 2014-04-16 10:12:28 UTC | Status | ON_QA | VERIFIED |
| Lucas Costi | 2014-05-13 06:10:42 UTC | CC | lcosti | |
| Doc Text | It has been reported that in this release of JBoss EAP 6 some users assigned to multiple roles will see operations in the console that they do not have access to perform. For exaple; a user with roles *host-master-administrator* and *host-slave-monitor* should be only able to see control elements (such as the *Add* button on the server configurations page) in context of host slave. This button should not be visible when operating in context of host master (however it is). Operations that are incorrectly visible will fail if attemted as the correct access control is enforced in the execution of the operation. There is no security violation. No workaround available for this issue at the moment however it will be resolved in a future release of the product. | Users assigned to multiple roles would see operations in the console that they did not have access to perform. For example, a user with roles *host-master-administrator* and *host-slave-monitor* should only have been able to see control elements (such as the *Add* button on the server configurations page) in context of host slave. This button should not have been visible when operating in context of host master (however it was). Operations that were incorrectly visible would fail if attempted, as the correct access control was enforced in the execution of the operation. There was no security violation. This issue in the management console has been fixed in this release so that control elements which are not relevant for a user role are no longer displayed. | ||
| Doc Type | Known Issue | Bug Fix | ||
| Scott Mumford | 2014-05-15 03:28:49 UTC | Doc Text | Users assigned to multiple roles would see operations in the console that they did not have access to perform. For example, a user with roles *host-master-administrator* and *host-slave-monitor* should only have been able to see control elements (such as the *Add* button on the server configurations page) in context of host slave. This button should not have been visible when operating in context of host master (however it was). Operations that were incorrectly visible would fail if attempted, as the correct access control was enforced in the execution of the operation. There was no security violation. This issue in the management console has been fixed in this release so that control elements which are not relevant for a user role are no longer displayed. | Users assigned to multiple roles would see operations in the console that they did not have access to perform. For example, a user with roles *host-master-administrator* and *host-slave-monitor* should only have been able to see control elements (such as the *Add* button on the server configurations page) in context of host slave. This button should not have been visible when operating in context of host master (however it was). Operations that were incorrectly visible would fail if attempted, as the correct access control was enforced in the execution of the operation. There was no security violation. This issue in the management console has been fixed in this release. Control elements which are not relevant for a user role, while visible, are 'grayed-out' and are not active. |
| mark yarborough | 2014-06-28 15:39:52 UTC | Status | VERIFIED | CLOSED |
| Resolution | --- | CURRENTRELEASE | ||
| Last Closed | 2014-06-28 11:39:52 UTC | |||
| John Skeoch | 2015-02-01 23:00:38 UTC | CC | jkudrnac |
Back to bug 1014219