Created attachment 1367488 [details]
Screenshot of evmrole-security configuration
Description of problem:
The Control->Explorer page is visible when authenticated as a user that has the EvmRole-Security role.
This role should only have access to Control->Simulation and Control->Log. Included screenshot shows evmrole-security default configuration, and default visibility.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create user with evmgroup-security/evmrole-security
2. Login as user
3. Note visibility for Control->Explorer0
Control->Explorer is visible
Only Log and Simulation are visible under Control
Tested with an aws_iam user, but AWS only provides auth, and doesn't impact RBAC.
Created attachment 1367489 [details]
Screenshot of evmrole-security visibility
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.
If it's something like a tracker bug where it doesn't matter, please set the severity to Low.
(In reply to Dave Johnson from comment #3)
> Please assess the impact of this issue and update the severity accordingly.
> Please refer to
> https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a
> reminder on each severity's definition.
> If it's something like a tracker bug where it doesn't matter, please set the
> severity to Low.
ack, set to medium
This is also true in 18.104.22.168, Control->Explorer is not included in evmrole-security configuration, but is visible to a user with this role.
This behavior is present for:
Appliance version: 22.214.171.124
There's also a problem with Automation -> Ansible, it's visible when it should not be, for:
Tested with ldap user.
I've written separate bugs for each of the RBAC mismatches that I've found on the default roles.
Please record any issues with Automation->Ansible vertical nav/access control in a separate BZ so that we can accurately track RBAC changes.
Unless Harpreet would prefer these two separate vertical nav issues under one BZ, in which case ignore me.
bz 1531499 opened.
(In reply to Antonin Pagac from comment #9)
> bz 1531499 opened.
Very much appreciated!
New commit detected on ManageIQ/manageiq/master:
Author: Harpreet Kataria <firstname.lastname@example.org>
AuthorDate: Tue Jan 9 12:18:33 2018 -0500
Commit: Harpreet Kataria <email@example.com>
CommitDate: Tue Jan 9 12:18:33 2018 -0500
Fixed control explorer feature id
Fixed control explorer feature id for EvmRole-security, EvmRole-support,EvmRole-auditor, EvmRole-approver roles. This was causing confusion by not showing them as selected in the Product features tree whereas these roles did have an access to Control explorer in UI.
db/fixtures/miq_user_roles.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)