Description of problem: A user with no group level filtering but role level filtering set to "Only User or Group Owned" is unable to see a service catalog that is based off a template that the user has group ownership of. Version-Release number of selected component (if applicable): 5.5.0 How reproducible: Steps to Reproduce: 0. Login by admin 1. Configure -> Configuration -> Access Control -> Tenant -> Select ‘My Company’ Configuration -> Add Child Tenant to this Tenant — create new tenant 2. Configure -> Configuration -> Access Control -> Roles Configuration -> Add new Role Then In the Role information area, set a value ‘Only User or Group Owned’ in the ‘VM and Template Access Restriction’. — create new role 3. Configure -> Configuration -> Access Control -> Select group Configuration -> Add new Group — create new group Then, Role = select created role in step2 and Project/Tenant = select created tenant in step1 4. Configure -> Configuration -> Access Control -> Select user Configuration -> Add new User — create new user Then, Group = select created group in step3 5. Infrastructure -> VM Machine -> select template Configuration -> Set Ownership Group = select created group in step3 6. Create service catalog menu by using template in step5 7. Logout admin then Login by created user in step4 8. Infrastructure -> VM Machine - Please confirm template is available Service Catalog -> Service - Please confirm service menu is unavailable Actual results: Expected results: Additional info:
https://github.com/ManageIQ/manageiq/pull/6347
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/767833ab472a75e783ffcebb5623060cc914887c commit 767833ab472a75e783ffcebb5623060cc914887c Author: lpichler <lpichler> AuthorDate: Tue Jan 26 16:14:45 2016 +0100 Commit: lpichler <lpichler> CommitDate: Fri Jan 29 11:45:18 2016 +0100 Removing ServiceTemplate from direct RBAC https://bugzilla.redhat.com/show_bug.cgi?id=1296671 we are not using belongs to and managed filters, group and user/tenant ownership(it is not presented in UI), neither tags(ServiceTemplate model is not taggable) app/models/rbac.rb | 1 - 1 file changed, 1 deletion(-)
Expected results slightly changed: In scenario from BZ we should see all service templates which are related to current tenant and parent's tenants (#4425) (not just ServiceTemplate (service catalog menu) based on template as decribed in BZ)
Fixed. Verified in 5.6.0.1-beta2.20160413141124_e25ac0e
It was working before as we expected so this PR is reverting changes https://github.com/ManageIQ/manageiq/pull/8890 In this PR is description how it should works for non-self-service-users and self-service-users
*** Bug 1341175 has been marked as a duplicate of this bug. ***
User can see the template but the catalog item.
User can see catalog item too . Verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1348