Bug 804524 - Do not allow users without any global role grants to see Administer in the UI
Do not allow users without any global role grants to see Administer in the UI
Status: NEW
Product: CloudForms Cloud Engine
Classification: Red Hat
Component: aeolus-conductor (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: Angus Thomas
: FutureFeature, Triaged
Depends On:
  Show dependency treegraph
Reported: 2012-03-19 03:25 EDT by james labocki
Modified: 2014-01-05 13:36 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description james labocki 2012-03-19 03:25:26 EDT
Description of problem:
Do not allow users without any global role grants to see Administer in the UI. For users who are self-service users only it is important not to even display the "Administer" tab as it can confuse them. Alternatively, create a role of "self-service user" which only provides a view of "Monitor" tab.

Version-Release number of selected component (if applicable):
Comment 1 Scott Seago 2012-03-19 21:11:02 EDT
This is not quite correct -- and (broken record time) why 'Administer' is not a good name for the second top level tab. There are various things that users with no global level permissions still need access to. For example:

1) Cloud/Pool Family Administrator (not global here) -- the Cloud/Pool Family UI is on the 'Administer' side
2) Cloud Image Administrator (also not global) -- the Image build/push UI is under the Cloud UI
3) even regular end users will have permission to see the image list within Clouds they have permissions on
4) Regular users with no global role grants have permission to see the Realm/Cluster mappings
5) non-global admins may have rights on individual Providers and Provider Accounts (which belongs to the 'administer' side)

In addition every user has at least one global role grant by default ('Global HWP User') without which the user won't be able to launch anything -- so the test of "any global role grant" will show the administer tab anyway.

Also -- be careful not to specify behavior based on specific role grants since a role is just a collection of lower-level privileges that are assigned as a group. All permission checks should check against specific low-level privileges in the context of a specific resource (or object type). For example the details page for a specific provider (under 'administer') will be shown whether the user has global provider view privilege via the "Administrator" role or global provider view privilege via the "Provider Administrator" (more limited admin) role or simply the "Provider User" role on that one provider (no global role at all).

As it stands now, we should be filtering everything by permissions below the top level tabs anyway -- there are a couple bugs open to address a few situations where we're not yet doing that properly.

Post-1.0 I'd like to see the top level (Monitor and Administer) re-named something more accurate (something like "Front end" and "back end", or whatever we eventually settle on for "Clouds" and "Providers" (in that case we'd need to move the 'Clouds' tab over from second main tab back t othe first). But that's a different discussion entirely.

As for this bug, I don't think showing the tab is a bug, given the many situations in which non-global-admin users need access to something on the 'administer' side.

Note You need to log in before you can comment on or make changes to this bug.