Description of problem: When user have creator role on some object which can have children (ie. DC), then it does not make sense to show that user have these creator permission also on some children of that object. For example when user have templateCreator on DC. Then he creates some template and in webadmin/UP is shown, that user is TemplateCreator on this template - this should not be shown. Or admin@internal creates new vmpool, and is shown that he is PowerUserRole on that vmpool, because he has PowerUserRole on system. Version-Release number of selected component (if applicable): sf13 How reproducible: always Steps to Reproduce: 1. As admin at internal create vmpool. 2. Check vmpool permissions. Actual results: You can see that admin at internal have PowerUserRole on that vmpool, but it does not make sense to show these permissions. Expected results: PowerUserRole permissions not visible. Additional info:
Roles determine both what you can see, and what you can do. If you are an administrator, and in addition you have some DiskCreator role on System, then you can see all the objects as you are an administrator, and you can create disks on all SDs because you have DiskCreator role. So, the fact you have DiskCreator shown on the SDs has a meaning. The same applies to users, although you can't really see permissions on objects such as clusters, SD, and etc., only on leaves such as VMs, Templates and etc. Thus, if hiding such roles, I'd do that only in the user-portal / user-level API, and not in the webadmin / admin API. Also, there is no notation of "creator" roles. A role can have no action group that allows to view children, but it won't be a creator role. Another problematic fact is that we hide this property from the user, so hiding such roles will be weird, as users won't understand why we show one role, while not showing other roles. So, I suggest we do one of the following: 1. Close this bug 2. Hide roles without allow_viewing_children action groups 3. Consider handling that in a bigger scope, when solving Bug #878812
simon please advise
(In reply to comment #2) > simon please advise Ack on comment #1, Oved please create a bug for Hide roles without allow_viewing_children action groups if that is not the current status. And then close this one. Adding the bug to my MLA usability tracker.
(In reply to comment #3) > (In reply to comment #2) > > simon please advise > > Ack on comment #1, Oved please create a bug for Hide roles without > allow_viewing_children action groups if that is not the current status. And > then close this one. > > Adding the bug to my MLA usability tracker. Even if opening a new bug (which I'm notsure we need... we can just change this bug's title), I think we should go with option #3. We currently hide the allow_viewing_children information from the user, so fixing problem #2 not as part of a bigger solution, won't help much.
OK then, let's fix as part of bug 878812 scope, making this on dependent.
Showing inherited creator roles is relevant for some types of objects/roles. For example, DiskCreator role on System allows you to create disks in all DCs, storage domains under the DCs, etc., so showing DiskCreator also in lower levels of the hierarchy makes sense. Same for VmCreator. It is true that perhaps it is less relevant to show it on VMs or Disks, but we might decide that these roles also have an effect on these object types as well in the future. Closing this bug as WONTFIX, as it is somewhere between not a bug and not worth fixing.