Bug 1465642

Summary: Non-admin users unable to see Catalog Items in SUI
Product: Red Hat CloudForms Management Engine Reporter: Ryan Spagnola <rspagnol>
Component: ApplianceAssignee: Yuri Rudman <yrudman>
Status: CLOSED DUPLICATE QA Contact: Landon LaSmith <llasmith>
Severity: high Docs Contact:
Priority: high    
Version: 5.8.0CC: abellott, brant.evans, cpelland, dclarizi, jhardy, llasmith, obarenbo, rspagnol
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.9.0Flags: llasmith: needinfo+
Hardware: All   
OS: All   
Whiteboard: ssui:catalog:rbac
Fixed In Version: 5.9.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1468295 (view as bug list) Environment:
Last Closed: 2017-10-31 19:47:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: Bug
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1468295    
Attachments:
Description Flags
Looks like by default role you mention does not include view catalog none

Description Ryan Spagnola 2017-06-27 20:23:43 UTC 
Description of problem:
When using the SUI as a non-admin user the Service Catalog Items that are tagged for the user to be able to see are not seen by the user. In fact the Service Catalog menu is not even displayed for the user. The user is able to see My Services and Orders menus.


Version-Release number of selected component (if applicable):
5.8

How reproducible:
Always

Steps to Reproduce:
1. 
2.
3.

Actual results:


Expected results:


Additional info:
This happens with either fresh appliance or upgrade to 4.5
Comment 2 Allen W 2017-06-28 13:30:37 UTC 
So we've run into this a few times and its usually a role product feature issue.  Please confirm the current role of the user has the appropriate product features to see the service catalog.  (that you can't see the menu item  is indicates this is likely not a bug, rather a misconfiguration)

Guessing no ip or ss are an option?
Comment 3 Brant Evans 2017-06-28 13:40:01 UTC 
Allen,

This happens when using the EvmRole-user_self_service role for the group. So if it is a problem with the role then it is a bug in the product as the role that ships does not work.
Comment 4 Brant Evans 2017-06-28 13:41:54 UTC 
This is happening on a customers system so no IP, but I can work with the customer to get a screen-share going if you would like.
Comment 5 Allen W 2017-06-28 13:53:44 UTC 
Created attachment 1292658 [details]
Looks like by default role you mention does not include view catalog

Can you confirm or deny if the user role has the `catalog_items_view` product feature?
Comment 6 Allen W 2017-06-28 13:58:24 UTC 
Hey ChrisK who do we talk to about changing the product features of the sui role? It needs to have the following product feature enabled (if the desired goal is to allow sui users to see catalogs)   
      :name: View Catalog Items
      :description: View Catalog Items
      :feature_type: view
      :identifier: catalog_items_view
Comment 7 Brant Evans 2017-06-28 14:05:38 UTC 
There is a Services -> Catalogs Explorer -> Catalog Items -> View Catalog Items product feature that I see and it is not selected.

I copied the EvmRole-user_self_service to a new role and enabled the feature. I am now able to see the Service Catalog in the SUI as a non-admin user. Only the catalog items that are supposed to be shown (based on tagging) are shown to the user.

Is this a new feature in 4.5? or a change in behavior for how the feature is used between 4.2 and 4.5?

Either way this feature should be enabled by default for the EvmRole-user_self_service (and maybe others).
Comment 9 Chris Kacerguis 2017-06-29 13:05:37 UTC 
Looks like we need to change product features of the sui role. It needs to have the following product feature enabled
  
      :name: View Catalog Items
      :description: View Catalog Items
      :feature_type: view
      :identifier: catalog_items_view

(not 100% sure the "Appliance" category is the right one, so apologies if it isn't)
Comment 10 CFME Bot 2017-06-30 14:46:49 UTC 
https://github.com/ManageIQ/manageiq/pull/15486
Comment 11 CFME Bot 2017-07-05 10:26:16 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/ad6c4cb141257ca7eba82f43d3269bea4aa1a6ef

commit ad6c4cb141257ca7eba82f43d3269bea4aa1a6ef
Author:     Yuri Rudman <yrudman>
AuthorDate: Fri Jun 30 10:12:15 2017 -0400
Commit:     Yuri Rudman <yrudman>
CommitDate: Fri Jun 30 10:12:15 2017 -0400

    added 'catalog_items_view' product feature to ssui roles
    https://bugzilla.redhat.com/show_bug.cgi?id=1465642

 db/fixtures/miq_user_roles.yml | 2 ++
 1 file changed, 2 insertions(+)
Comment 13 Landon LaSmith 2017-10-27 12:48:12 UTC 
Kicking this back b/c the default EvmRole-user_self_service (and EvmRole-user_limited_self_service) role doesn't allow the non-admin user to view the Service Catalog (or login) via the Self Service UI.  The role needs to enable Service UI -> Service Catalog -> View as a default permission

Version: 5.9.0.4.20171024163837_ef71ea6
Comment 14 Yuri Rudman 2017-10-27 13:50:16 UTC 
Landon,

This change was already released in 5.8.1.2 - https://bugzilla.redhat.com/show_bug.cgi?id=1468295. 

Could you verify this one and create create another BZ against version 5.8.1.1 with description of changes you are proposing ?  It would help to keep track of the issue.

Thanks!
Comment 15 Landon LaSmith 2017-10-27 14:46:18 UTC 
Yuri,

5.9 now has separate permissions to grant access to items in the SSUI under "Service UI".

:name: Show
:description: Show Service Catalog
:feature_type: view
:identifier: sui_svc_catalog_view


This issue isn't present in CFME 5.8.2.3. because there are no separate features required to enable SSUI access.
Comment 16 Yuri Rudman 2017-10-31 19:47:35 UTC 

*** This bug has been marked as a duplicate of bug 1507029 ***