Bug 1834524

Summary: [RFE] 'Custom default user access' with no roles assigned gives access to delete the system under inventory
Product: Red Hat Hybrid Cloud Console (console.redhat.com) Reporter: Amar Huchchanavar <ahuchcha>
Component: InventoryAssignee: aprice
Status: CLOSED CURRENTRELEASE QA Contact: fstavela
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: achadha, cmarinea, fjansen, kdixon, lphiri, mpusater, robwilli
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-26 16:08:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amar Huchchanavar 2020-05-11 20:40:59 UTC 
Description of problem:
Removed all roles from 'Default user access' and created separate Admin Group.
Added desired users under Admin Group, however, a new user which is not part of any groups created under c.r.c can delete systems from Inventory.

Version-Release number of selected component (if applicable):
{
  "Username": "insights-support",
  "CurrentApp": "User access",
  "ApplicationPath": "/settings/rbac/groups",
  "apps": [
    {
      "name": "Chrome",
      "path": "apps/chrome/app.info.json",
      "version": "06daa04110d303d6353daf4483252725674c30ba.20"
    },
    {
      "name": "Dashboard",
      "path": "apps/dashboard/app.info.json",
      "version": "7540558ba4682f7381ef47d234aa0e2f6b3dfeeb.15"
    },
    {
      "name": "Inventory",
      "path": "apps/inventory/app.info.json",
      "version": "3396e9afe06b09c6d5c7ec941bd4c276d061b862.17"
    },
    {
      "name": "Remediations",
      "path": "apps/remediations/app.info.json",
      "version": "9644254c63a1f587010cfe82453194a8162d6f05.9"
    },
    {
      "name": "Vulnerability",
      "path": "apps/vulnerability/app.info.json",
      "version": "46ff4e4adcfbed833ed67c103d031094a2c2e471.18"
    },
    {
      "name": "Compliance",
      "path": "apps/compliance/app.info.json",
      "version": "c4d1ae8e83e333a0f991b6a5ba5958e1ce9f09c3.31"
    },
    {
      "name": "Cost Management",
      "path": "apps/cost-management/app.info.json",
      "version": "128503f0e791065aa1179f3fb7f0d0568c1b0175.6"
    },
    {
      "name": "Advisor",
      "path": "apps/advisor/app.info.json",
      "version": "4f535c1b026835a1156224ae78cc9a2ddc1c25e1.111"
    },
    {
      "name": "Drift",
      "path": "apps/drift/app.info.json",
      "version": "95ada9b556a8c5a875215a36467db2762ff8c97a.14"
    },
    {
      "name": "Migration Analytics",
      "path": "apps/migration-analytics/app.info.json",
      "version": "ed5911167f49e3fd98fab1b2fa72ba5ef94192e2.2"
    },
    {
      "name": "Automation Hub",
      "path": "apps/automation-hub/app.info.json",
      "version": "92f145dba327b7c5b7466ab9277eee8c7c69de01.12"
    },
    {
      "name": "Automation Analytics",
      "path": "apps/automation-analytics/app.info.json",
      "version": "5aa63d460c5287851306a9f467cc98c4aa9d8019.12"
    },
    {
      "name": "Policies",
      "path": "apps/policies/app.info.json",
      "version": "333c58f376bc0cb284ed64c63786d47a172b0ef9.8"
    },
    {
      "name": "Patch",
      "path": "apps/patch/app.info.json",
      "version": "5561c9a04e951fbbc768bbc93cfb0a09dfe8475d.2"
    }
  ]
}

How reproducible:
Always

Steps to Reproduce:
1. Create Two users on portal user1(org admin) and user2(normal user)
2. Create different Admin user group and assign on all roles to this group.
3. Add user1 to Admin group
4. Remove all roles from 'Default user access' on c.r.c.
~~~
Now that you have edited the Default user access group, the system will no longer update it with new default access roles. The group name has changed to Custom default user access.
~~~
5. Login cloud.redhat.com with user2 and try to delete the system from inventory. 

Actual results:
Non-Authorized users can delete the system from Inventory.

Expected results:
It should not allow performing that action.

Additional info:
 'Custom default user access' group should by default give 'viewer only' rights.
Comment 1 Ian Page Hands 2020-05-12 17:27:11 UTC 
Amar,

This is an RFE. At the moment there are now RBAC permissions for Inventory.
Only apps (like Advisor, Vulnerability, etc).


We are internally talking about the complexities around how applications would behaved if some Inventory permissions were stripped from a user, and thus have deferred the Inventory permissions all together.
Comment 2 Ian Page Hands 2020-05-12 17:28:10 UTC 
I would like to see if we can do a read only style permission to prevent writes the way you are looking for as an RFE
Comment 15 Red Hat Bugzilla 2023-09-15 01:29:34 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days