Created attachment 1367488 [details] Screenshot of evmrole-security configuration Description of problem: The Control->Explorer page is visible when authenticated as a user that has the EvmRole-Security role. This role should only have access to Control->Simulation and Control->Log. Included screenshot shows evmrole-security default configuration, and default visibility. Version-Release number of selected component (if applicable): 5.8.2.3 How reproducible: 100% Steps to Reproduce: 1. Create user with evmgroup-security/evmrole-security 2. Login as user 3. Note visibility for Control->Explorer0 Actual results: Control->Explorer is visible Expected results: Only Log and Simulation are visible under Control Additional info: Tested with an aws_iam user, but AWS only provides auth, and doesn't impact RBAC.
Created attachment 1367489 [details] Screenshot of evmrole-security visibility
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low.
(In reply to Dave Johnson from comment #3) > Please assess the impact of this issue and update the severity accordingly. > Please refer to > https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a > reminder on each severity's definition. > > If it's something like a tracker bug where it doesn't matter, please set the > severity to Low. ack, set to medium
This is also true in 5.9.0.12, Control->Explorer is not included in evmrole-security configuration, but is visible to a user with this role.
This behavior is present for: EvmRole-security EvmRole-support EvmRole-auditor EvmRole-approver
Appliance version: 5.8.3.0 There's also a problem with Automation -> Ansible, it's visible when it should not be, for: EvmRole-administrator EvmRole-user_self_service EvmRole-vm_user EvmRole-desktop Tested with ldap user.
Antonin, I've written separate bugs for each of the RBAC mismatches that I've found on the default roles. Please record any issues with Automation->Ansible vertical nav/access control in a separate BZ so that we can accurately track RBAC changes. Unless Harpreet would prefer these two separate vertical nav issues under one BZ, in which case ignore me.
bz 1531499 opened.
(In reply to Antonin Pagac from comment #9) > bz 1531499 opened. Very much appreciated!
https://github.com/ManageIQ/manageiq/pull/16780
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/827e8a860363b78f342f111fb6c42764a6994c03 commit 827e8a860363b78f342f111fb6c42764a6994c03 Author: Harpreet Kataria <hkataria> AuthorDate: Tue Jan 9 12:18:33 2018 -0500 Commit: Harpreet Kataria <hkataria> CommitDate: Tue Jan 9 12:18:33 2018 -0500 Fixed control explorer feature id Fixed control explorer feature id for EvmRole-security, EvmRole-support,EvmRole-auditor, EvmRole-approver roles. This was causing confusion by not showing them as selected in the Product features tree whereas these roles did have an access to Control explorer in UI. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1525598 db/fixtures/miq_user_roles.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)