Hide Forgot
Description of problem: User that belongs to a group with no filtering and a sub-tenant is only able to see Clusters, Hosts, Resource Pools & Datastores sub-tenant does not have access to Providers, virtual machines or templates. Version-Release number of selected component (if applicable): 5.5.0 How reproducible: very Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Assigning to add test case
Josh, the visibility rules per class is found here: https://github.com/ManageIQ/manageiq/blob/62477b802b2ea7eead99bd78fdf9cebcc7473702/app/models/rbac.rb#L59-L70 Can you clarify exactly what setup you have in terms of a tree what objects you have, providers/ems/vm/templates and what tenant/group they belong to? A sub-tenant should only be able to see "ExtManagementSystem", "MiqAeNamespace", "MiqTemplate", "Provider", "ServiceTemplateCatalog", "ServiceTemplate", etc. (the keys with a value of :ancestor_ids).
Of course, the sub-tenant will of course see all of it's own things, but above is for the class of objects owned by a parent tenant that are visible from the child tenant.
Please retest with 5.5.2. There was a fix made to address visibility of templates owned by the parent tenant. Users should be able to see the templates owned by the current tenant and parent tenants only. But, see VMs owned by current tenant and child tenants only.