Red Hat Bugzilla – Bug 1264732
[RFE] Predefined role which is equivalent of ORG ADMIN
Last modified: 2017-08-15 16:23:30 EDT
*** Bug 1280468 has been marked as a duplicate of this bug. ***
A first pass at a temporary script to create a single Role for every Organization with all permissions assigned to this role *except* the ability to create other Organizations as well as modify Roles can be found here:
To run this utility do the following:
1) Download to your Satellite 6.1 system:
# curl http://people.redhat.com/~mmccune/create_org_admins.rake > /usr/share/foreman/lib/tasks/create_org_admins.rake
2) Execute the script:
# foreman-rake create_org_admins
Creating Roles for every Organization with all Permissions except Organization and Role objects.
** Creating ROLE: Org Admin - Default Organization
** Adding Filters to ROLE: Org Admin - Default Organization
** Creating ROLE: Org Admin - Org333
** Adding Filters to ROLE: Org Admin - Org333
** Creating ROLE: Org Admin - The Demo Org Auto
** Adding Filters to ROLE: Org Admin - The Demo Org Auto
Done creating new Roles with all Filters and Permissions except Organization and Role objects.
3) This will create a single Role for each Organization on the Satellite. Each Role will have all permissions except for Organization and Role objects assigned to it with no scoped filtering on specific objects.
This will allow users scoped to a single Organization with this Role have the ability to act as an Admin but only be able to modify objects within that Organization.
This is a First Draft of this script and is open to modification and suggestions.
*** Bug 1301900 has been marked as a duplicate of this bug. ***
ORG admin will probably need access to manifest and subscription management for their own org, which is part of organization resource type.
Adding org resource with delete_manifest, import_manifest, unattach_subscriptions, attach_subscriptions, view_subscriptions filters does the trick.
ORG admin has access to full audittrails for all organizations per default.
ORG admin can see and modify tasks for all organizations - this is bad.
Created attachment 1160873 [details]
I added Mike's script with some changes that should remove permissions to see other orgs when editing permissions.
This version was created by Tom Caspy on Feb 8th.
Per 6.3 planning, moving out non acked bugs to the backlog
Upstream bug assigned to firstname.lastname@example.org
Upstream bug component is Users & Roles
Moving to POST since upstream bug http://projects.theforeman.org/issues/7806 has been closed
Created attachment 1220833 [details]
Roles with Taxonomy Association
Now Roles can be associated with taxonomies (screen attached). Verified on sat 6.3.0 snap 6.