Description of problem: When admin role is given to an org. unit or a repository and the admin deploys a project and starts some process instances then privileges are ignored in BC. Eg. user with analyst role can build&deploy any project from org. unit/repository or cancel process instances started by admin. Version-Release number of selected component (if applicable): BPMS 6.1.0.ER6 How reproducible: Always Steps to Reproduce: 1. Add admin role to org. unit/repository in kie-config-cli: add-role-org-unit or add-role-repo 2. Login to the BC as user with admin role and start some process instances. Logout. 3. Login to the BC as user with analyst role and try to list org. unit/repository and try to cancel process instances started by admin. Actual results: Analyst has rights of admin Expected results: the OU or a repository and projects are hidden to analyst. Additional info:
Pavel, if you add roles to repository or org unit after project has been created these roles won't be reflected on runtime as they won't be added to deployment descriptor. So to make this to work you need to add roles for runtime via deployment descriptor (using project editor) Roles from repository are automatically transferred only upon project creation any other modification to security of the repository must be manually added to deployment descriptor.
This works just ok when the roles are added to the deployment descriptor. I will close this as soon as we have a resolution for BZ #1203696. I would like to try verify that custom roles work too.
The issue is not about the runtime data. When you allow access to 'admin' role on 'OU 1' then someone with 'analyst' is not able to see it. This is valid only until the 'admin' user performs some actions (like building a project). After that also 'analyst' can see 'OU 1 ' and dig inside it despite that only 'admin' should be able to view it. One very important think to note is that we haven't managed to identify the precise actions which break the access privileges. We will update this BZ when we know more. In mean time I'm lowering the severity as concrete steps to reproduce are unknown.
(In reply to Marek Baluch from comment #3) > The issue is not about the runtime data. > > When you allow access to 'admin' role on 'OU 1' then someone with 'analyst' > is not able to see it. This is valid only until the 'admin' user performs > some actions (like building a project). After that also 'analyst' can see > 'OU 1 ' and dig inside it despite that only 'admin' should be able to view > it. > > One very important think to note is that we haven't managed to identify the > precise actions which break the access privileges. We will update this BZ > when we know more. > > In mean time I'm lowering the severity as concrete steps to reproduce are > unknown. Can anyone explain what this BZ actually refers to? We need some concrete steps to re-create. Is it related to https://bugzilla.redhat.com/show_bug.cgi?id=1214245?
BPMS 6.2.0.CR1 - verified with two different repos. Set admin privileges to OU, repo, project. As admin done Build&Deploy. Analyst cannot see privileged assets.