Description of problem: If a group is added, the users from that particular group are not inheriting the permissions automatically. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Create a user 2. Create a group, add the users in the group 3. Click on Permissions -> Add Permissions Actual results: - ldap groups are present, available, but when permissions are assigned, they are not propogated Expected results: - Permissions must be inherited automatically to the users in the group Additional info:
I've just checked that group permissions are inherited properly to the group members and also group permissions are visible within webadmin in Administration / Users when you click on a User Name detail in Permissions tab. So could you please retest following scenario: 1. Create group with name group1 on LDAP server 2. Create user with username user1 on LDAP server 3. Try to login with user1 to webadmin - it should fail due to insufficient permisions 4. Login to webadmin using administrator acount and perform following steps a. Navigate to Administration / Users and then to Group tab b. Click Add, select the relevant authorization provider for your LDAP server and add group1 c. I the Group tab click on Group Name group1, switch to Permissions tab and add SuperUser system permission d. Navigate to Administration / Users and then to Users tab e. Find user user1 and click on its user name, then navigate to Permissions tab and verify that the user doesn't have SuperUser role, which is correct, because the user is not a member of group group1 f. Logout from webadmin 5. Go to LDAP and make user user1 member of the group group1 6. Login to webadmin using user1 -> authentication should succeed, because user user1 is now a member of group group1, which has SuperUser role 7. You can navigate to Administration / Users, find user1, click on its user name and navigate to Permissions tab, you should see SuperUser role within its permissions If above doesn't work, then you probably have an issue within group mapping of your aaa-ldap provider. You can try to executed below command on your RHVM machine to display groups of your user user1: $ ovirt-engine-extensions-tool aaa search \ --extension-name=<YOUR LDAP AUTHZ PROVIDER NAME> \ --entity=principal \ --authz-flag=resolve-groups \ --entity-name=user1 In the generated output you should see something like below: INFO: --- Begin GroupRecord --- Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output INFO: AAA_AUTHZ_GROUP_ID: c7040212-fe92-4f7a-839b-bd42d9ec8ae4 Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output INFO: AAA_AUTHZ_GROUP_DISPLAY_NAME: Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output INFO: AAA_AUTHZ_GROUP_NAMESPACE: * Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output INFO: AAA_AUTHZ_GROUP_NAME: group1 Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output INFO: AAA_JDBC_GROUP_DESCRIPTION: Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl$Dump dumpGroups INFO: --- End GroupRecord --- where the important line is INFO: AAA_AUTHZ_GROUP_NAME: group1 If there is not GroupRecord found, then your group mapping is not setup correctly.