Bug 1264732 - [RFE] Predefined role which is equivalent of ORG ADMIN
[RFE] Predefined role which is equivalent of ORG ADMIN
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
Unspecified Unspecified
high Severity high (vote)
: GA
: --
Assigned To: Marek Hulan
Renzo Nuccitelli
: FutureFeature, Triaged
: 1280468 1301900 (view as bug list)
Depends On:
Blocks: 1296845
  Show dependency treegraph
Reported: 2015-09-21 01:21 EDT by Rishi
Modified: 2017-09-11 12:41 EDT (History)
27 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
create_org_admins script (1.32 KB, text/plain)
2016-05-24 01:07 EDT, orabin
no flags Details
Roles with Taxonomy Association (120.49 KB, image/jpeg)
2016-11-15 08:20 EST, Renzo Nuccitelli
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 7806 None None None 2016-07-28 03:13 EDT

  None (edit)
Comment 4 Bryan Kearney 2015-11-13 11:35:50 EST
*** Bug 1280468 has been marked as a duplicate of this bug. ***
Comment 6 Mike McCune 2016-01-14 00:38:19 EST
A first pass at a temporary script to create a single Role for every Organization with all permissions assigned to this role *except* the ability to create other Organizations as well as modify Roles can be found here:


To run this utility do the following:

1) Download to your Satellite 6.1 system:

# curl http://people.redhat.com/~mmccune/create_org_admins.rake > /usr/share/foreman/lib/tasks/create_org_admins.rake

2) Execute the script:

# foreman-rake create_org_admins
Creating Roles for every Organization with all Permissions except Organization and Role objects.

  ** Creating ROLE: Org Admin - Default Organization
  ** Adding Filters to ROLE: Org Admin - Default Organization
  ** Creating ROLE: Org Admin - Org333
  ** Adding Filters to ROLE: Org Admin - Org333
  ** Creating ROLE: Org Admin - The Demo Org Auto
  ** Adding Filters to ROLE: Org Admin - The Demo Org Auto

Done creating new Roles with all Filters and Permissions except Organization and Role objects.

3) This will create a single Role for each Organization on the Satellite. Each Role will have all permissions except for Organization and Role objects assigned to it with no scoped filtering on specific objects. 

This will allow users scoped to a single Organization with this Role have the ability to act as an Admin but only be able to modify objects within that Organization.

This is a First Draft of this script and is open to modification and suggestions.
Comment 7 Bryan Kearney 2016-02-11 11:46:53 EST
*** Bug 1301900 has been marked as a duplicate of this bug. ***
Comment 9 Johan Bergström 2016-04-14 08:08:58 EDT
ORG admin will probably need access to manifest and subscription management for their own org, which is part of organization resource type.

Adding org resource with delete_manifest, import_manifest, unattach_subscriptions, attach_subscriptions, view_subscriptions filters does the trick.
Comment 10 Johan Bergström 2016-04-14 08:45:46 EDT
ORG admin has access to full audittrails for all organizations per default.

ORG admin can see and modify tasks for all organizations - this is bad.
Comment 11 orabin 2016-05-24 01:07 EDT
Created attachment 1160873 [details]
create_org_admins script
Comment 12 orabin 2016-05-24 01:13:25 EDT
I added Mike's script with some changes that should remove permissions to see other orgs when editing permissions.
This version was created by Tom Caspy on Feb 8th.
Comment 13 Bryan Kearney 2016-07-08 16:19:14 EDT
Per 6.3 planning, moving out non acked bugs to the backlog
Comment 15 Bryan Kearney 2016-07-28 04:09:09 EDT
Upstream bug assigned to mhulan@redhat.com
Comment 16 Bryan Kearney 2016-07-28 04:09:15 EDT
Upstream bug component is Users & Roles
Comment 18 Bryan Kearney 2016-08-26 06:10:07 EDT
Moving to POST since upstream bug http://projects.theforeman.org/issues/7806 has been closed
Comment 21 Renzo Nuccitelli 2016-11-15 08:20 EST
Created attachment 1220833 [details]
Roles with Taxonomy Association
Comment 22 Renzo Nuccitelli 2016-11-15 08:22:12 EST
Now Roles can be associated with taxonomies (screen attached). Verified on sat 6.3.0 snap 6.

Note You need to log in before you can comment on or make changes to this bug.