Description of problem: In CloudForms 4.6 (both GA & errata release 1), when I create a group that is using a role that has VM access restrictions set to anything other than "none", users of the group cannot see any catalog items. Applying a tag to the group's filtering, and then applying the same tag to the catalog item does not make it visible, as it as in previous versions of CloudForms Version-Release number of selected component (if applicable): GA & errata 1 How reproducible: Always Steps to Reproduce: 1. Create group assigned to a role with VM access restriction set to "Only User Owned" or "Only User or Group Owned". 2. Set a filtering tag for the group under "This user is limited to items with the selected tags." 3. Assign that same tag to a catalog item. Actual results: Catalog item should be visible to users of this group Expected results: Catalog item is not visible to users of the group Additional info: Have obserbed this in 3 different environments so far - one upgrade from 4.5 (where it previously worked) to 4.6 GA, and one new deployment of 4.6 GA and 4.6 errata 1 each.
Changing component to Appliance to review as it appears to be an RBAC issue.
VERIFIED in 5.10.0.2. A restricted user (ownership and tagging) can see catalog items that are not user/group owned when they both have the same tag