Bug 1440931 - Authentication Self_Service UI externalauth/miqldap Lack of user perms clarification
Summary: Authentication Self_Service UI externalauth/miqldap Lack of user perms clarif...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - Service
Version: 5.6.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: GA
: 5.9.0
Assignee: Allen W
QA Contact: Matt Pusateri
URL:
Whiteboard: auth:externalauth:miqldap:ssui
Depends On:
Blocks: 1443800
TreeView+ depends on / blocked
 
Reported: 2017-04-10 18:57 UTC by Matt Pusateri
Modified: 2018-03-06 14:56 UTC (History)
8 users (show)

Fixed In Version: 5.9.0.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1443800 (view as bug list)
Environment:
Last Closed: 2018-03-06 14:56:07 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1435468 0 high CLOSED MIQ LDAP - Certain users with special attributes can't log in to services UI. 2021-02-22 00:41:40 UTC

Internal Links: 1435468

Description Matt Pusateri 2017-04-10 18:57:47 UTC 
Description of problem:

When a user doesn't have perms to the self_service UI, we should either not let them log in or log them in and tell them they don't have perms to view anything, right now we give them a blank dashboard and that's confusing.

Version-Release number of selected component (if applicable):
5.6.4, 5.7.2, 5.8.0.9-alpha2

How reproducible:


Steps to Reproduce:
1. Setup a user with no permissions that would be valid in SSUI evmGroup-auditor and or evmGroup-vm-user should work.
2. Log in and get a blank dashboard
3.

Actual results:
When you log in you get a blank dashboard

Expected results:
Either the dashboard should tell you that you have no perms, or better yet, we don't let you log in and tell you it's a permissions issue. 

Additional info:
Comment 2 Chris Kacerguis 2017-04-10 18:59:36 UTC 
This looks to be a UXD issue, not a technical one.
Comment 3 Dave Johnson 2017-04-13 22:21:24 UTC 
adding blocker as a thought, this is closely related to bug 1435468 which is a blocker
Comment 7 Serena 2017-04-19 17:52:34 UTC 
Please add an error message on the login screen in this case.  The text should be:

"You do not have permission to view the Service UI.  Contact your administrator to update your group permissions."

Thanks!
Comment 8 Allen W 2017-04-19 18:04:50 UTC 
To confirm, if the user has permission to view the dashboad, but the dashboard is blank, refuse their login? 

(presently if they are able to view an empty dashboard we let them login)
Comment 9 Dave Johnson 2017-04-19 18:20:52 UTC 
Right, I believe we want to go with comment 7 when we hit this scenario.  If they don;t have enough permissions for the service ui to be usable, then we shouldn't let them in.
Comment 10 Allen W 2017-04-19 18:44:51 UTC 
Thanks for the feedback dave! 

https://github.com/ManageIQ/manageiq-ui-service/pull/693
Comment 12 Matt Pusateri 2017-10-11 19:55:40 UTC 
I need a list of roles that have SSUI perms, initial testing fails and without a list of valid roles, I'm blocked.
Comment 13 Allen W 2017-10-11 20:01:23 UTC 
Hi Matt! Unfortunately I do not have a list of roles that have Service UI permissions.
Comment 14 Allen W 2017-10-11 20:10:18 UTC 
Though roles that have the product features service_view, svc_catalog_provision and catalog_items_view will have "My Services" "My Orders" and "Service Catalog" respectively, enabled. This is subject to change as the new SUI rbac section is being fleshed out.
Comment 15 Matt Pusateri 2017-12-06 20:38:33 UTC 
Verified on 5.9.0.11 Ext Auth FreeIPA/AD/OpenLDAP  Also MIQLDAP OpenLDAP, want to test MIQLDAP a bit more.
Comment 16 Matt Pusateri 2018-01-22 21:16:09 UTC 
Verified 5.9.0.17 External Auth: FreeIPA, AD, OpenLDAP
Note You need to log in before you can comment on or make changes to this bug.