804524 – Do not allow users without any global role grants to see Administer in the UI

Bug 804524 - Do not allow users without any global role grants to see Administer in the UI

Summary: Do not allow users without any global role grants to see Administer in the UI

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	CloudForms Cloud Engine
Classification:	Retired
Component:	aeolus-conductor
Sub Component:
Version:	1.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Assignee:	Angus Thomas
QA Contact:	Rehana
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-19 07:25 UTC by james labocki
Modified:	2020-03-27 18:05 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-27 18:05:13 UTC
Embargoed:

Attachments	(Terms of Use)

Description james labocki 2012-03-19 07:25:26 UTC

Description of problem:
Do not allow users without any global role grants to see Administer in the UI. For users who are self-service users only it is important not to even display the "Administer" tab as it can confuse them. Alternatively, create a role of "self-service user" which only provides a view of "Monitor" tab.

Version-Release number of selected component (if applicable):
aeolus-conductor-0.8.0-41.el6.noarch
aeolus-all-0.8.0-41.el6.noarch

Comment 1 Scott Seago 2012-03-20 01:11:02 UTC

This is not quite correct -- and (broken record time) why 'Administer' is not a good name for the second top level tab. There are various things that users with no global level permissions still need access to. For example:

1) Cloud/Pool Family Administrator (not global here) -- the Cloud/Pool Family UI is on the 'Administer' side
2) Cloud Image Administrator (also not global) -- the Image build/push UI is under the Cloud UI
3) even regular end users will have permission to see the image list within Clouds they have permissions on
4) Regular users with no global role grants have permission to see the Realm/Cluster mappings
5) non-global admins may have rights on individual Providers and Provider Accounts (which belongs to the 'administer' side)

In addition every user has at least one global role grant by default ('Global HWP User') without which the user won't be able to launch anything -- so the test of "any global role grant" will show the administer tab anyway.

Also -- be careful not to specify behavior based on specific role grants since a role is just a collection of lower-level privileges that are assigned as a group. All permission checks should check against specific low-level privileges in the context of a specific resource (or object type). For example the details page for a specific provider (under 'administer') will be shown whether the user has global provider view privilege via the "Administrator" role or global provider view privilege via the "Provider Administrator" (more limited admin) role or simply the "Provider User" role on that one provider (no global role at all).

As it stands now, we should be filtering everything by permissions below the top level tabs anyway -- there are a couple bugs open to address a few situations where we're not yet doing that properly.

Post-1.0 I'd like to see the top level (Monitor and Administer) re-named something more accurate (something like "Front end" and "back end", or whatever we eventually settle on for "Clouds" and "Providers" (in that case we'd need to move the 'Clouds' tab over from second main tab back t othe first). But that's a different discussion entirely.

As for this bug, I don't think showing the tab is a bug, given the many situations in which non-global-admin users need access to something on the 'administer' side.

Note You need to log in before you can comment on or make changes to this bug.