Bug 1264732 - [RFE] Predefined role which is equivalent of ORG ADMIN
Summary: [RFE] Predefined role which is equivalent of ORG ADMIN
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.1.1
Hardware: Unspecified
OS: Unspecified
high vote
Target Milestone: Unspecified
Assignee: Marek Hulan
QA Contact: Renzo Nuccitelli
: 1280468 1301900 (view as bug list)
Depends On:
Blocks: 1353215 1296845
TreeView+ depends on / blocked
Reported: 2015-09-21 05:21 UTC by Rishi
Modified: 2021-06-10 11:01 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2018-02-21 12:30:53 UTC
Target Upstream Version:

Attachments (Terms of Use)
create_org_admins script (1.32 KB, text/plain)
2016-05-24 05:07 UTC, orabin
no flags Details
Roles with Taxonomy Association (120.49 KB, image/jpeg)
2016-11-15 13:20 UTC, Renzo Nuccitelli
no flags Details

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 7806 0 Normal Closed As a user, I would like roles to associate roles with organizations. 2020-08-27 09:17:05 UTC
Red Hat Bugzilla 1280468 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Bugzilla 1301900 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Product Errata RHSA-2018:0336 0 normal SHIPPED_LIVE Important: Satellite 6.3 security, bug fix, and enhancement update 2018-02-21 22:43:42 UTC

Internal Links: 1280468 1301900 1344506

Comment 4 Bryan Kearney 2015-11-13 16:35:50 UTC
*** Bug 1280468 has been marked as a duplicate of this bug. ***

Comment 6 Mike McCune 2016-01-14 05:38:19 UTC
A first pass at a temporary script to create a single Role for every Organization with all permissions assigned to this role *except* the ability to create other Organizations as well as modify Roles can be found here:


To run this utility do the following:

1) Download to your Satellite 6.1 system:

# curl http://people.redhat.com/~mmccune/create_org_admins.rake > /usr/share/foreman/lib/tasks/create_org_admins.rake

2) Execute the script:

# foreman-rake create_org_admins
Creating Roles for every Organization with all Permissions except Organization and Role objects.

  ** Creating ROLE: Org Admin - Default Organization
  ** Adding Filters to ROLE: Org Admin - Default Organization
  ** Creating ROLE: Org Admin - Org333
  ** Adding Filters to ROLE: Org Admin - Org333
  ** Creating ROLE: Org Admin - The Demo Org Auto
  ** Adding Filters to ROLE: Org Admin - The Demo Org Auto

Done creating new Roles with all Filters and Permissions except Organization and Role objects.

3) This will create a single Role for each Organization on the Satellite. Each Role will have all permissions except for Organization and Role objects assigned to it with no scoped filtering on specific objects. 

This will allow users scoped to a single Organization with this Role have the ability to act as an Admin but only be able to modify objects within that Organization.

This is a First Draft of this script and is open to modification and suggestions.

Comment 7 Bryan Kearney 2016-02-11 16:46:53 UTC
*** Bug 1301900 has been marked as a duplicate of this bug. ***

Comment 9 Johan Bergström 2016-04-14 12:08:58 UTC
ORG admin will probably need access to manifest and subscription management for their own org, which is part of organization resource type.

Adding org resource with delete_manifest, import_manifest, unattach_subscriptions, attach_subscriptions, view_subscriptions filters does the trick.

Comment 10 Johan Bergström 2016-04-14 12:45:46 UTC
ORG admin has access to full audittrails for all organizations per default.

ORG admin can see and modify tasks for all organizations - this is bad.

Comment 11 orabin 2016-05-24 05:07:20 UTC
Created attachment 1160873 [details]
create_org_admins script

Comment 12 orabin 2016-05-24 05:13:25 UTC
I added Mike's script with some changes that should remove permissions to see other orgs when editing permissions.
This version was created by Tom Caspy on Feb 8th.

Comment 13 Bryan Kearney 2016-07-08 20:19:14 UTC
Per 6.3 planning, moving out non acked bugs to the backlog

Comment 15 Bryan Kearney 2016-07-28 08:09:09 UTC
Upstream bug assigned to mhulan

Comment 16 Bryan Kearney 2016-07-28 08:09:15 UTC
Upstream bug component is Users & Roles

Comment 18 Bryan Kearney 2016-08-26 10:10:07 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/7806 has been closed

Comment 21 Renzo Nuccitelli 2016-11-15 13:20:13 UTC
Created attachment 1220833 [details]
Roles with Taxonomy Association

Comment 22 Renzo Nuccitelli 2016-11-15 13:22:12 UTC
Now Roles can be associated with taxonomies (screen attached). Verified on sat 6.3.0 snap 6.

Comment 26 errata-xmlrpc 2018-02-21 12:30:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.