Bug 1465642 - Non-admin users unable to see Catalog Items in SUI
Non-admin users unable to see Catalog Items in SUI
Status: CLOSED DUPLICATE of bug 1507029
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance (Show other bugs)
5.8.0
All All
high Severity high
: GA
: 5.9.0
Assigned To: Yuri Rudman
Landon LaSmith
ssui:catalog:rbac
: TestOnly, ZStream
Depends On:
Blocks: 1468295
  Show dependency treegraph
 
Reported: 2017-06-27 16:23 EDT by Ryan Spagnola
Modified: 2018-01-15 10:47 EST (History)
8 users (show)

See Also:
Fixed In Version: 5.9.0.1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1468295 (view as bug list)
Environment:
Last Closed: 2017-10-31 15:47:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: Bug
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core
llasmith: needinfo+


Attachments (Terms of Use)
Looks like by default role you mention does not include view catalog (355.42 KB, image/png)
2017-06-28 09:53 EDT, Allen W
no flags Details

  None (edit)
Description Ryan Spagnola 2017-06-27 16:23:43 EDT
Description of problem:
When using the SUI as a non-admin user the Service Catalog Items that are tagged for the user to be able to see are not seen by the user. In fact the Service Catalog menu is not even displayed for the user. The user is able to see My Services and Orders menus.


Version-Release number of selected component (if applicable):
5.8

How reproducible:
Always

Steps to Reproduce:
1. 
2.
3.

Actual results:


Expected results:


Additional info:
This happens with either fresh appliance or upgrade to 4.5
Comment 2 Allen W 2017-06-28 09:30:37 EDT
So we've run into this a few times and its usually a role product feature issue.  Please confirm the current role of the user has the appropriate product features to see the service catalog.  (that you can't see the menu item  is indicates this is likely not a bug, rather a misconfiguration)

Guessing no ip or ss are an option?
Comment 3 Brant Evans 2017-06-28 09:40:01 EDT
Allen,

This happens when using the EvmRole-user_self_service role for the group. So if it is a problem with the role then it is a bug in the product as the role that ships does not work.
Comment 4 Brant Evans 2017-06-28 09:41:54 EDT
This is happening on a customers system so no IP, but I can work with the customer to get a screen-share going if you would like.
Comment 5 Allen W 2017-06-28 09:53 EDT
Created attachment 1292658 [details]
Looks like by default role you mention does not include view catalog

Can you confirm or deny if the user role has the `catalog_items_view` product feature?
Comment 6 Allen W 2017-06-28 09:58:24 EDT
Hey ChrisK who do we talk to about changing the product features of the sui role? It needs to have the following product feature enabled (if the desired goal is to allow sui users to see catalogs)   
      :name: View Catalog Items
      :description: View Catalog Items
      :feature_type: view
      :identifier: catalog_items_view
Comment 7 Brant Evans 2017-06-28 10:05:38 EDT
There is a Services -> Catalogs Explorer -> Catalog Items -> View Catalog Items product feature that I see and it is not selected.

I copied the EvmRole-user_self_service to a new role and enabled the feature. I am now able to see the Service Catalog in the SUI as a non-admin user. Only the catalog items that are supposed to be shown (based on tagging) are shown to the user.

Is this a new feature in 4.5? or a change in behavior for how the feature is used between 4.2 and 4.5?

Either way this feature should be enabled by default for the EvmRole-user_self_service (and maybe others).
Comment 9 Chris Kacerguis 2017-06-29 09:05:37 EDT
Looks like we need to change product features of the sui role. It needs to have the following product feature enabled
  
      :name: View Catalog Items
      :description: View Catalog Items
      :feature_type: view
      :identifier: catalog_items_view

(not 100% sure the "Appliance" category is the right one, so apologies if it isn't)
Comment 11 CFME Bot 2017-07-05 06:26:16 EDT
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/ad6c4cb141257ca7eba82f43d3269bea4aa1a6ef

commit ad6c4cb141257ca7eba82f43d3269bea4aa1a6ef
Author:     Yuri Rudman <yrudman@redhat.com>
AuthorDate: Fri Jun 30 10:12:15 2017 -0400
Commit:     Yuri Rudman <yrudman@redhat.com>
CommitDate: Fri Jun 30 10:12:15 2017 -0400

    added 'catalog_items_view' product feature to ssui roles
    https://bugzilla.redhat.com/show_bug.cgi?id=1465642

 db/fixtures/miq_user_roles.yml | 2 ++
 1 file changed, 2 insertions(+)
Comment 13 Landon LaSmith 2017-10-27 08:48:12 EDT
Kicking this back b/c the default EvmRole-user_self_service (and EvmRole-user_limited_self_service) role doesn't allow the non-admin user to view the Service Catalog (or login) via the Self Service UI.  The role needs to enable Service UI -> Service Catalog -> View as a default permission

Version: 5.9.0.4.20171024163837_ef71ea6
Comment 14 Yuri Rudman 2017-10-27 09:50:16 EDT
Landon,

This change was already released in 5.8.1.2 - https://bugzilla.redhat.com/show_bug.cgi?id=1468295. 

Could you verify this one and create create another BZ against version 5.8.1.1 with description of changes you are proposing ?  It would help to keep track of the issue.

Thanks!
Comment 15 Landon LaSmith 2017-10-27 10:46:18 EDT
Yuri,

5.9 now has separate permissions to grant access to items in the SSUI under "Service UI".

:name: Show
:description: Show Service Catalog
:feature_type: view
:identifier: sui_svc_catalog_view


This issue isn't present in CFME 5.8.2.3. because there are no separate features required to enable SSUI access.
Comment 16 Yuri Rudman 2017-10-31 15:47:35 EDT

*** This bug has been marked as a duplicate of bug 1507029 ***

Note You need to log in before you can comment on or make changes to this bug.