Created attachment 1555230 [details] screenshot Description of problem: A user with EVMRole-user_self_service role not able to retire the service but when I enabled the "Approve and Deny" permission is here in role so user able to retire the service. Version-Release number of selected component (if applicable): Version: 5.10.3.2.20190410215422_59d5d16 How reproducible: 100% Steps to Reproduce: 1. Copy role "EVMRole-user_self_service" and "Access Restriction for Services, VMs, and Templates" set to "None" 2. Create Group and users 2. Create service as the "admin" user or non-admin user 3. ordered the service 4. Login to ssui portal as above created non-admin user 5. Retire the Service Actual results: Toast Notifications appears with error message "There was an error removing one or more services." Expected results: Additional info:
The stack trace: MIQ(Api::ServicesController.api_error) /opt/rh/cfme-gemset/bundler/gems/cfme-api-3e9150d0c9d6/app/controllers/api/base_controller/authentication.rb:73:in `validate_user_identity' log/api.log:[----] E, [2019-04-16T15:25:36.998719 #15214:39a1250] ERROR -- : MIQ(Api::ServicesController.api_error) /opt/rh/cfme-gemset/bundler/gems/cfme-api-3e9150d0c9d6/app/controllers/api/base_controller/authentication.rb:86:in `auth_user' log/api.log:[----] E, [2019-04-16T15:25:36.998735 #15214:39a1250] ERROR -- : MIQ(Api::ServicesController.api_error) /opt/rh/cfme-gemset/bundler/gems/cfme-api-3e9150d0c9d6/app/controllers/api/base_controller/authentication.rb:101:in `authenticate_with_user_token' log/api.log:[----] E, [2019-04-16T15:25:36.998750 #15214:39a1250] ERROR -- : MIQ(Api::ServicesController.api_error) /opt/rh/cfme-gemset/bundler/gems/cfme-api-3e9150d0c9d6/app/controllers/api/base_controller/authentication.rb:27:in `require_api_user_or_token' log/api.log:[----] E, [2019-04-16T15:25:36.998796 #15214:39a1250] ERROR -- : MIQ(Api::ServicesController.api_error) /opt/rh/cfme-gemset/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:382:in `block in make_lambda' log/api.log:[----] E, [2019-04-16T15:25:36.998812 #15214:39a1250] ERROR -- : MIQ(Api::ServicesController.api_error) /opt/rh/cfme-gemset/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:150:in `block (2 levels) in halting_and_conditional' I'm seeing errors about [Couldn't find User with 'id'=34] which makes sense since there's 1 and 35, I'm looking more into it.
Created attachment 1555887 [details] mapping of ops/sui roles -- OLD This needs to get updated to include approval for retirement and provisioning and approval in general and that's a call that's probably in the hands of someone like Loic... I also am not sure what else is missing on this sheet but it's pretty old, and I feel like maybe there are other things. So it'd be great to have someone with power take a look at this.
I'd like to say for the record that, as a non-admin user you can see an admin user's services from the SUI ... that feels bad. The fact that you're supposed to be able to retire the services feels even more wrong.
Hey Tina, I have some questions on the expected behavior of this ticket and I was wondering if you could help me get them answered please.
After discussion with Tina, I think that we have a bigger issue regarding approval than the scope of what this ticket appears to be open for. Because of that, I don't believe it's actionable at the moment.
Could you please retest with a user that also has the permission Everything -> Services -> Requests -> Operate -> approve and deny ?
Drew, Yes user can retire the service when we give approve and deny permission to user. I have already mentioned in bz description. "A user with EVMRole-user_self_service role not able to retire the service but when I enabled the "Approve and Deny" permission is here in role so user able to retire the service"
https://github.com/ManageIQ/manageiq-api/pull/599
able to retire the service when role is EVMRole-user_self_service Verified in Version 5.11.0.8.20190611155126_01e077e