Description of problem: Tenant admins is not able to see newly created users Version-Release number of selected component (if applicable): 5.8.4.5 How reproducible: Always Steps to Reproduce: 1.Login to cloudforms portal with tenant admin user 2.Create a new user Actual results: Newly created user is not visible. Expected results: Newly created use should be visible to tenant admin.
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low.
This seems to have been broken by (master/gaprindashvili) https://github.com/ManageIQ/manageiq/pull/17061 and a backport to fine: https://github.com/ManageIQ/manageiq/pull/17292 It looks like the workaround for now is to put the tenant administrator in all groups but we should treat tenant administrators as administrators over the whole tenant. I'm guessing tenant administrators should see all users within the tenant but not outside the tenant. Currently, it can only see users in the same group (and tenant) as the tenant administrator.
Gregg, can you mark this as duplicate or link this to your code change?
https://github.com/ManageIQ/manageiq/pull/17768
New commits detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/4d996af2350e2513cb57870f0610abd12e799b53 commit 4d996af2350e2513cb57870f0610abd12e799b53 Author: Gregg Tanzillo <gtanzill> AuthorDate: Thu Jul 26 15:26:40 2018 -0400 Commit: Gregg Tanzillo <gtanzill> CommitDate: Thu Jul 26 15:26:40 2018 -0400 Enable identification of `tenant_admin` role based on product feature `rbac_tenant` https://bugzilla.redhat.com/show_bug.cgi?id=1596639 https://bugzilla.redhat.com/show_bug.cgi?id=1596266 app/models/miq_product_feature.rb | 2 + app/models/miq_user_role.rb | 4 + 2 files changed, 6 insertions(+) https://github.com/ManageIQ/manageiq/commit/2f61692f134cdb790d99964a163e9426c0168929 commit 2f61692f134cdb790d99964a163e9426c0168929 Author: Gregg Tanzillo <gtanzill> AuthorDate: Thu Jul 26 15:28:06 2018 -0400 Commit: Gregg Tanzillo <gtanzill> CommitDate: Thu Jul 26 15:28:06 2018 -0400 Specs for testing group visibility for tenant admins https://bugzilla.redhat.com/show_bug.cgi?id=1596639 https://bugzilla.redhat.com/show_bug.cgi?id=1596266 spec/lib/rbac/filterer_spec.rb | 41 +- spec/models/miq_user_role_spec.rb | 15 + 2 files changed, 47 insertions(+), 9 deletions(-) https://github.com/ManageIQ/manageiq/commit/89347595eda522037795fd918f76521faff84ef4 commit 89347595eda522037795fd918f76521faff84ef4 Author: Gregg Tanzillo <gtanzill> AuthorDate: Thu Jul 26 15:29:36 2018 -0400 Commit: Gregg Tanzillo <gtanzill> CommitDate: Thu Jul 26 15:29:36 2018 -0400 Allow tenant admins to see all groups within the scope of their tenant Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596639 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596266 lib/rbac/filterer.rb | 7 +- 1 file changed, 4 insertions(+), 3 deletions(-)
Verified with 5.10.0.15.