Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1203694 - Roles added to org. unit and repository are ignored by Business Central
Summary: Roles added to org. unit and repository are ignored by Business Central
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss BPMS Platform 6
Classification: Retired
Component: Business Central
Version: 6.1.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: CR1
: 6.2.0
Assignee: manstis
QA Contact: Lukáš Petrovický
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-19 13:15 UTC by Pavel Kralik
Modified: 2020-03-27 20:03 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-27 20:03:17 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1192831 0 urgent CLOSED User with no privileges for repository can view and modify assets in that repository 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1203696 0 high CLOSED Access restrictions to assets does not work with custom roles 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1214245 0 urgent CLOSED Roles added to org. unit and repository are ignored by Business Central 2021-02-22 00:41:40 UTC

Internal Links: 1192831 1203696 1214245

Description Pavel Kralik 2015-03-19 13:15:23 UTC
Description of problem:

When admin role is given to an org. unit or a repository and the admin deploys a project and starts some process instances then privileges are ignored in BC. Eg. user with analyst role can build&deploy any project from org. unit/repository or cancel process instances started by admin.

Version-Release number of selected component (if applicable):
BPMS 6.1.0.ER6

How reproducible:
Always

Steps to Reproduce:
1. Add admin role to org. unit/repository in kie-config-cli: add-role-org-unit or add-role-repo
2. Login to the BC as user with admin role and start some process instances. Logout.
3. Login to the BC as user with analyst role and try to list org. unit/repository and try to cancel process instances started by admin.

Actual results:
Analyst has rights of admin

Expected results:
the OU or a repository and projects are hidden to analyst.

Additional info:

Comment 1 Maciej Swiderski 2015-03-19 14:11:59 UTC
Pavel,

if you add roles to repository or org unit after project has been created these roles won't be reflected on runtime as they won't be added to deployment descriptor. So to make this to work you need to add roles for runtime via deployment descriptor (using project editor)

Roles from repository are automatically transferred only upon project creation any other modification to security of the repository must be manually added to deployment descriptor.

Comment 2 Marek Baluch 2015-03-19 15:50:57 UTC
This works just ok when the roles are added to the deployment descriptor.

I will close this as soon as we have a resolution for BZ #1203696. I would like to try verify that custom roles work too.

Comment 3 Marek Baluch 2015-03-19 17:51:28 UTC
The issue is not about the runtime data. 

When you allow access to 'admin' role on 'OU 1' then someone with 'analyst' is not able to see it. This is valid only until the 'admin' user performs some actions (like building a project). After that also 'analyst' can see 'OU 1 ' and dig inside it despite that only 'admin' should be able to view it.

One very important think to note is that we haven't managed to identify the precise actions which break the access privileges. We will update this BZ when we know more.

In mean time I'm lowering the severity as concrete steps to reproduce are unknown.

Comment 6 manstis 2015-11-10 17:01:03 UTC
(In reply to Marek Baluch from comment #3)
> The issue is not about the runtime data. 
> 
> When you allow access to 'admin' role on 'OU 1' then someone with 'analyst'
> is not able to see it. This is valid only until the 'admin' user performs
> some actions (like building a project). After that also 'analyst' can see
> 'OU 1 ' and dig inside it despite that only 'admin' should be able to view
> it.
> 
> One very important think to note is that we haven't managed to identify the
> precise actions which break the access privileges. We will update this BZ
> when we know more.
> 
> In mean time I'm lowering the severity as concrete steps to reproduce are
> unknown.

Can anyone explain what this BZ actually refers to?

We need some concrete steps to re-create. Is it related to https://bugzilla.redhat.com/show_bug.cgi?id=1214245?

Comment 9 Pavel Kralik 2015-11-23 16:56:04 UTC
BPMS 6.2.0.CR1 - verified with two different repos. Set admin privileges to OU, repo, project. As admin done Build&Deploy. Analyst cannot see privileged assets.


Note You need to log in before you can comment on or make changes to this bug.