Bug 1015569 - RBAC: Host Scoped administrator can't read sensitive resources
RBAC: Host Scoped administrator can't read sensitive resources
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Heiko Braun
Jakub Cechacek
Russell Dickenson
Depends On:
  Show dependency treegraph
Reported: 2013-10-04 10:03 EDT by Zbyněk Roubalík
Modified: 2015-02-01 18:00 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-07 06:18:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Zbyněk Roubalík 2013-10-04 10:03:09 EDT
Description of problem:
Host Scoped administrator can't read sensitive resources, eg. Datasource credentials, Profiles->Security->Security Domains

Version-Release number of selected component (if applicable):
EAP 6.2.0.ER4

Steps to Reproduce:
1. log as host scoped administrator
2. go to Profiles->Security->Security Domains 

Actual results:
Authorisation Required You don't have the permissions to access this resource!

Expected results:
Access to this resource.
Comment 1 Heiko Braun 2013-10-04 10:07:34 EDT
Brian, is this expected? AFAIK host scoped, actually means host scoped and monitor permissions everywhere else.
Comment 2 Brian Stansberry 2013-10-04 10:36:20 EDT
The current behavior is the intended behavior. A scoped role has the powers of the base role it's derived from for resources within its scope, and has monitor-level permissions elsewhere.

The Administrators for a set of hosts or server group may have no reason to know sensitive information unrelated to their area of responsibility.
Comment 3 Jakub Cechacek 2013-10-07 06:18:40 EDT
Closing as this is not an issue, rather misunderstanding on QE side.

Note You need to log in before you can comment on or make changes to this bug.