Bug 1203694

Summary: Roles added to org. unit and repository are ignored by Business Central
Product: [Retired] JBoss BPMS Platform 6 Reporter: Pavel Kralik <pkralik>
Component: Business CentralAssignee: manstis
Status: CLOSED EOL QA Contact: Lukáš Petrovický <lpetrovi>
Severity: medium Docs Contact:
Priority: high    
Version: 6.1.0CC: agiertli, kverlaen, manstis, mbaluch, rrajasek
Target Milestone: CR1   
Target Release: 6.2.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 20:03:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Kralik 2015-03-19 13:15:23 UTC 
Description of problem:

When admin role is given to an org. unit or a repository and the admin deploys a project and starts some process instances then privileges are ignored in BC. Eg. user with analyst role can build&deploy any project from org. unit/repository or cancel process instances started by admin.

Version-Release number of selected component (if applicable):
BPMS 6.1.0.ER6

How reproducible:
Always

Steps to Reproduce:
1. Add admin role to org. unit/repository in kie-config-cli: add-role-org-unit or add-role-repo
2. Login to the BC as user with admin role and start some process instances. Logout.
3. Login to the BC as user with analyst role and try to list org. unit/repository and try to cancel process instances started by admin.

Actual results:
Analyst has rights of admin

Expected results:
the OU or a repository and projects are hidden to analyst.

Additional info:
Comment 1 Maciej Swiderski 2015-03-19 14:11:59 UTC 
Pavel,

if you add roles to repository or org unit after project has been created these roles won't be reflected on runtime as they won't be added to deployment descriptor. So to make this to work you need to add roles for runtime via deployment descriptor (using project editor)

Roles from repository are automatically transferred only upon project creation any other modification to security of the repository must be manually added to deployment descriptor.
Comment 2 Marek Baluch 2015-03-19 15:50:57 UTC 
This works just ok when the roles are added to the deployment descriptor.

I will close this as soon as we have a resolution for BZ #1203696. I would like to try verify that custom roles work too.
Comment 3 Marek Baluch 2015-03-19 17:51:28 UTC 
The issue is not about the runtime data. 

When you allow access to 'admin' role on 'OU 1' then someone with 'analyst' is not able to see it. This is valid only until the 'admin' user performs some actions (like building a project). After that also 'analyst' can see 'OU 1 ' and dig inside it despite that only 'admin' should be able to view it.

One very important think to note is that we haven't managed to identify the precise actions which break the access privileges. We will update this BZ when we know more.

In mean time I'm lowering the severity as concrete steps to reproduce are unknown.
Comment 6 manstis 2015-11-10 17:01:03 UTC 
(In reply to Marek Baluch from comment #3)
> The issue is not about the runtime data. 
> 
> When you allow access to 'admin' role on 'OU 1' then someone with 'analyst'
> is not able to see it. This is valid only until the 'admin' user performs
> some actions (like building a project). After that also 'analyst' can see
> 'OU 1 ' and dig inside it despite that only 'admin' should be able to view
> it.
> 
> One very important think to note is that we haven't managed to identify the
> precise actions which break the access privileges. We will update this BZ
> when we know more.
> 
> In mean time I'm lowering the severity as concrete steps to reproduce are
> unknown.

Can anyone explain what this BZ actually refers to?

We need some concrete steps to re-create. Is it related to https://bugzilla.redhat.com/show_bug.cgi?id=1214245?
Comment 9 Pavel Kralik 2015-11-23 16:56:04 UTC 
BPMS 6.2.0.CR1 - verified with two different repos. Set admin privileges to OU, repo, project. As admin done Build&Deploy. Analyst cannot see privileged assets.