Bug 1014219 - RBAC: Control element visibility for users with multiple scoped roles
RBAC: Control element visibility for users with multiple scoped roles
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console (Show other bugs)
Unspecified Unspecified
unspecified Severity urgent
: DR6
: EAP 6.3.0
Assigned To: Harald Pehl
Jakub Cechacek
Russell Dickenson
Depends On: 1074493
  Show dependency treegraph
Reported: 2013-10-01 10:24 EDT by Jakub Cechacek
Modified: 2015-02-01 18:00 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Users assigned to multiple roles would see operations in the console that they did not have access to perform. For example, a user with roles *host-master-administrator* and *host-slave-monitor* should only have been able to see control elements (such as the *Add* button on the server configurations page) in context of host slave. This button should not have been visible when operating in context of host master (however it was). Operations that were incorrectly visible would fail if attempted, as the correct access control was enforced in the execution of the operation. There was no security violation. This issue in the management console has been fixed in this release. Control elements which are not relevant for a user role, while visible, are 'grayed-out' and are not active.
Story Points: ---
Clone Of:
Last Closed: 2014-06-28 11:39:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker HAL-238 Major Resolved Control element visibility for users with multiple scoped roles 2016-06-20 04:36 EDT

  None (edit)
Description Jakub Cechacek 2013-10-01 10:24:39 EDT
Control elements are visible whenever it is required by one of user's roles regarding current host / group Context. Lets say we have user with roles "host-master-administrator" and "host-slave-monitor". This user should be able to see control elements (such as "Add" button on server configurations page) only in context of host slave, when operating in context of host master this button should not be visible. 

For server groups things are more complicated as all groups are listed on one page. Thus making buttons enabled / disabled based on selected resource might be a better solution
Comment 4 John Doyle 2013-10-03 04:22:29 EDT
So the user experience would be that the button is visible in a context when it should not be, but the operation will fail if the user attempts it?
Comment 5 Jakub Cechacek 2013-10-03 04:42:06 EDT
Comment 6 John Doyle 2013-10-03 04:55:42 EDT
If we cannot resolve this issue with our current timeline, we should defer.
Comment 7 John Doyle 2013-10-16 22:40:09 EDT
Added text for a known issue.
Comment 8 Heiko Braun 2013-10-21 07:41:21 EDT
It's a known issue, that has already been postponed. See above.
Comment 10 John Doyle 2013-10-21 12:08:18 EDT
Acknowledged.  I already added text for the release note.
Comment 11 Ladislav Thon 2013-10-21 12:36:09 EDT
The original report, and in consequence also the Doc Text, is wrong in one detail: the control elements should only be visible in context of host _master_ (as for this host, the user is in the administrator role). Jakub, please confirm.
Comment 12 Jakub Cechacek 2013-10-22 02:57:59 EDT
That's true, I've accidentally switched the context in my description. 

Russell, can you correct the Doc Text please?
Comment 13 Scott Mumford 2013-12-01 20:55:43 EST
Modified Doc Text content (appears to gel with Jakub's comment 12) and marked for inclusion in 6.2 Release Notes document.
Comment 14 Kabir Khan 2014-03-06 11:40:48 EST
Part of this is done by https://github.com/jbossas/jboss-eap/pull/1024
Comment 15 JBoss JIRA Server 2014-03-13 21:23:46 EDT
Harald Pehl <hpehl@redhat.com> updated the status of jira HAL-238 to Resolved
Comment 18 Jakub Cechacek 2014-04-16 06:12:28 EDT
Verified 6.3.0.ER1
Comment 20 Scott Mumford 2014-05-14 23:28:49 EDT
Edited release note as per bug 1097786.

Note You need to log in before you can comment on or make changes to this bug.