Description of problem:Issues with RBAC filtering using the REST API Version-Release number of selected component (if applicable): How reproducible:Always Steps to Reproduce: 1. Output of this url - /api/services when logged-in as a user of group EvmGroup-user_self_service yields the following result - {"name":"services","count":10,"subcount":0,"resources":[]} which is correct since the OPS UI does not display Services for this group 2.However output of the same url (/api/services) when logged-in as a user of group EvmGroup-desktop yields the following result - {"name":"services","count":10,"subcount":10,"resources":[{"href":"http://localhost:3000/api/services/3"},{"href":"http://localhost:3000/api/services/1"},{"href":"http://localhost:3000/api/services/4"},{"href":"http://localhost:3000/api/services/7"},{"href":"http://localhost:3000/api/services/2"},{"href":"http://localhost:3000/api/services/6"},{"href":"http://localhost:3000/api/services/5"},{"href":"http://localhost:3000/api/services/8"},{"href":"http://localhost:3000/api/services/10"},{"href":"http://localhost:3000/api/services/9"}]} This is incorrect since a user belonging to this group sees all the services that an Administrator would see. Note that the OPS UI does not display Services for this group. Actual results: Expected results: For a user belonging to the EvmGroup-desktop group, the output from the REST API should be - {"name":"services","count":10,"subcount":0,"resources":[]} Additional info:
This may be resolved with Tim's PR https://github.com/ManageIQ/manageiq/pull/6651 on upstream where we added role identifiers to read actions (e.g. GET), so users of self service group/role would get the list of services and users of desktop groups/role will be getting a 403 (forbidden) Aparna, can you confirm and let us know ?
RBAC for API Services in 5.6