Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
A first pass at a temporary script to create a single Role for every Organization with all permissions assigned to this role *except* the ability to create other Organizations as well as modify Roles can be found here:
http://people.redhat.com/~mmccune/create_org_admins.rake
To run this utility do the following:
1) Download to your Satellite 6.1 system:
# curl http://people.redhat.com/~mmccune/create_org_admins.rake > /usr/share/foreman/lib/tasks/create_org_admins.rake
2) Execute the script:
# foreman-rake create_org_admins
Creating Roles for every Organization with all Permissions except Organization and Role objects.
** Creating ROLE: Org Admin - Default Organization
** Adding Filters to ROLE: Org Admin - Default Organization
** Creating ROLE: Org Admin - Org333
** Adding Filters to ROLE: Org Admin - Org333
** Creating ROLE: Org Admin - The Demo Org Auto
** Adding Filters to ROLE: Org Admin - The Demo Org Auto
Done creating new Roles with all Filters and Permissions except Organization and Role objects.
3) This will create a single Role for each Organization on the Satellite. Each Role will have all permissions except for Organization and Role objects assigned to it with no scoped filtering on specific objects.
This will allow users scoped to a single Organization with this Role have the ability to act as an Admin but only be able to modify objects within that Organization.
This is a First Draft of this script and is open to modification and suggestions.
ORG admin will probably need access to manifest and subscription management for their own org, which is part of organization resource type.
Adding org resource with delete_manifest, import_manifest, unattach_subscriptions, attach_subscriptions, view_subscriptions filters does the trick.
Comment 10Johan Bergström
2016-04-14 12:45:46 UTC
ORG admin has access to full audittrails for all organizations per default.
ORG admin can see and modify tasks for all organizations - this is bad.
I added Mike's script with some changes that should remove permissions to see other orgs when editing permissions.
This version was created by Tom Caspy on Feb 8th.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2018:0336