I try to restrict access to specific config groups for a specific user. The new role should be able to filter the available config groups through their names. Therefore this user should not be able to change production relevant config groups. I would need to use this feature in a real world DevOps scenario. - create a new role and add filter 1 for host class permissions. - select items "edit_classes" for filter 1. - create filter 2 with config group permissions. - select items "view_config_groups" and "edit_config_groups" for filter 2. - uncheck unlimited checkbox for filter 2. - enter search expression into search textbox like "name != production-apache" for filter 2. - associate the role with restricted user. - create config group with a name like "production-apache" - login with the restricted user. - on the menu go to configure - config groups. expected result -> the user should not be able to view or edit config groups with the string "production" in their names. actual problem -> the user is allowed to view and edit all config groups, even ones with matching names to the exclusion search expression. Thanks for your attention, Roland
Created from redmine issue http://projects.theforeman.org/issues/9506
Upstream bug assigned to mhulan
Upstream bug component is Users & Roles
VERIFIED: # rpm -qa | grep foreman dell-pe1950-05.rhts.eng.brq.redhat.com-foreman-client-1.0-1.noarch dell-pe1950-05.rhts.eng.brq.redhat.com-foreman-proxy-1.0-1.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch puppet-foreman_scap_client-0.3.3-10.el7sat.noarch foreman-vmware-1.7.2.50-1.el7sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3.5-1.el7sat.noarch foreman-ovirt-1.7.2.50-1.el7sat.noarch ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch foreman-1.7.2.50-1.el7sat.noarch ruby193-rubygem-foreman_docker-1.2.0.24-1.el7sat.noarch ruby193-rubygem-foreman-tasks-0.6.15.7-1.el7sat.noarch rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el7sat.noarch rubygem-hammer_cli_foreman_docker-0.0.3.10-1.el7sat.noarch foreman-debug-1.7.2.50-1.el7sat.noarch foreman-proxy-1.7.2.8-1.el7sat.noarch dell-pe1950-05.rhts.eng.brq.redhat.com-foreman-proxy-client-1.0-1.noarch foreman-discovery-image-3.0.5-3.el7sat.noarch foreman-libvirt-1.7.2.50-1.el7sat.noarch ruby193-rubygem-foreman_openscap-0.3.2.10-1.el7sat.noarch foreman-gce-1.7.2.50-1.el7sat.noarch rubygem-hammer_cli_foreman-0.1.4.15-1.el7sat.noarch ruby193-rubygem-foreman_discovery-2.0.0.23-1.el7sat.noarch foreman-selinux-1.7.2.17-1.el7sat.noarch foreman-postgresql-1.7.2.50-1.el7sat.noarch foreman-compute-1.7.2.50-1.el7sat.noarch ruby193-rubygem-foreman-redhat_access-0.2.4-1.el7sat.noarch rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el7sat.noarch ruby193-rubygem-foreman_bootdisk-4.0.2.14-1.el7sat.noarch steps: - create a new role and add filter 1 for host class permissions. - select items "edit_classes" for filter 1. - create filter 2 with config group permissions. - select items "view_config_groups" and "edit_config_groups" for filter 2. - uncheck unlimited checkbox for filter 2. - enter search expression into search textbox like "name != production-apache" for filter 2. - associate the role with restricted user. - create config group with a name like "production-apache" - login with the restricted user. - on the menu go to configure - config groups. the user is not be able to view or edit config groups with the string "production" in their names.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:0052