Bug 1264732

Summary: [RFE] Predefined role which is equivalent of ORG ADMIN
Product: Red Hat Satellite 6 Reporter: Rishi <rjain>
Component: Users & RolesAssignee: Marek Hulan <mhulan>
Status: CLOSED ERRATA QA Contact: Renzo Nuccitelli <rnuccite>
Severity: high Docs Contact:
Priority: high    
Version: 6.1.1CC: aladke, aperotti, asahni, bbuckingham, bkearney, daniele, dcaplan, egolov, fgarciad, hjensas, howey.vernon, johan.bergstrom, jswensso, jyejare, ktordeur, mhulan, mmccune, orabin, oshtaier, pmutha, riehecky, rnuccite, robert.miyata, sokeeffe, sreber, ssherkar, xdmoon
Target Milestone: GAKeywords: FutureFeature, Triaged
Target Release: --   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1280468
https://bugzilla.redhat.com/show_bug.cgi?id=1301900
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 07:30:53 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1296845, 1353215    
Attachments:
Description Flags
create_org_admins script
none
Roles with Taxonomy Association none

Comment 4 Bryan Kearney 2015-11-13 11:35:50 EST
*** Bug 1280468 has been marked as a duplicate of this bug. ***
Comment 6 Mike McCune 2016-01-14 00:38:19 EST
A first pass at a temporary script to create a single Role for every Organization with all permissions assigned to this role *except* the ability to create other Organizations as well as modify Roles can be found here:

http://people.redhat.com/~mmccune/create_org_admins.rake

To run this utility do the following:


1) Download to your Satellite 6.1 system:

# curl http://people.redhat.com/~mmccune/create_org_admins.rake > /usr/share/foreman/lib/tasks/create_org_admins.rake

2) Execute the script:

# foreman-rake create_org_admins
Creating Roles for every Organization with all Permissions except Organization and Role objects.

  ** Creating ROLE: Org Admin - Default Organization
  ** Adding Filters to ROLE: Org Admin - Default Organization
  ** Creating ROLE: Org Admin - Org333
  ** Adding Filters to ROLE: Org Admin - Org333
  ** Creating ROLE: Org Admin - The Demo Org Auto
  ** Adding Filters to ROLE: Org Admin - The Demo Org Auto

Done creating new Roles with all Filters and Permissions except Organization and Role objects.

3) This will create a single Role for each Organization on the Satellite. Each Role will have all permissions except for Organization and Role objects assigned to it with no scoped filtering on specific objects. 

This will allow users scoped to a single Organization with this Role have the ability to act as an Admin but only be able to modify objects within that Organization.

This is a First Draft of this script and is open to modification and suggestions.
Comment 7 Bryan Kearney 2016-02-11 11:46:53 EST
*** Bug 1301900 has been marked as a duplicate of this bug. ***
Comment 9 Johan Bergström 2016-04-14 08:08:58 EDT
ORG admin will probably need access to manifest and subscription management for their own org, which is part of organization resource type.

Adding org resource with delete_manifest, import_manifest, unattach_subscriptions, attach_subscriptions, view_subscriptions filters does the trick.
Comment 10 Johan Bergström 2016-04-14 08:45:46 EDT
ORG admin has access to full audittrails for all organizations per default.

ORG admin can see and modify tasks for all organizations - this is bad.
Comment 11 orabin 2016-05-24 01:07 EDT
Created attachment 1160873 [details]
create_org_admins script
Comment 12 orabin 2016-05-24 01:13:25 EDT
I added Mike's script with some changes that should remove permissions to see other orgs when editing permissions.
This version was created by Tom Caspy on Feb 8th.
Comment 13 Bryan Kearney 2016-07-08 16:19:14 EDT
Per 6.3 planning, moving out non acked bugs to the backlog
Comment 15 Bryan Kearney 2016-07-28 04:09:09 EDT
Upstream bug assigned to mhulan@redhat.com
Comment 16 Bryan Kearney 2016-07-28 04:09:15 EDT
Upstream bug component is Users & Roles
Comment 18 Bryan Kearney 2016-08-26 06:10:07 EDT
Moving to POST since upstream bug http://projects.theforeman.org/issues/7806 has been closed
Comment 21 Renzo Nuccitelli 2016-11-15 08:20 EST
Created attachment 1220833 [details]
Roles with Taxonomy Association
Comment 22 Renzo Nuccitelli 2016-11-15 08:22:12 EST
Now Roles can be associated with taxonomies (screen attached). Verified on sat 6.3.0 snap 6.
Comment 26 errata-xmlrpc 2018-02-21 07:30:53 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336