Hide Forgot
Description of problem: A user with the child tenant role, is able to delete/edit a catalog item created by an admin user attached to a parent tenant within the web UI. Version-Release number of selected component (if applicable): CloudForms 4.1 How reproducible: Always Steps to Reproduce: 1. Create a catalog item with admin user attached to the parent tenant 2. Create a new user as a child tenant with an admin role. 3. Have the user attached to the child tenant delete the catalog item created by the admin. Actual results: Child tenant user is allowed to edit/remove the catalog item. Expected results: Child tenant should not have access to edit/remove the catalog of the parent tenant. Additional info:
John, Looks like there was a needinfo for you way back. Not sure where this stands.
I believe this is by design: 'ServiceTemplate' => :ancestor_ids, https://github.com/ManageIQ/manageiq/blob/2a66cb59e26816c7296896620b5b7731b350943d/lib/rbac/filterer.rb#L114 You're able to see Catalog items of parent and ancestor tenants. If your role has permission to modify catalog items / delete them, and you can to see ones from ancestor tenants, then you can delete them. Brad, is this still the desired functionality?