Feature #19342
closed
Allow non-admin user to assign roles they don't have to another user
Added by Ondřej Pražák about 7 years ago.
Updated over 5 years ago.
Category:
Users, Roles and Permissions
|
|
Description
It would be nice if there was a separation between Foreman Admin and Org Admins, as in a multi tenancy environment.
Foreman Admin should be able to able to:
- Adding Organizations and Org Admins for it
- Delegating Subscriptions to Orgs
- Admin should only be allowed to create Orgs and Admin user for it, but not manage actual content (hosts, puppet, LC, CV,...)
Orgs Admins managing the actual contents in the Organization, like:
- Subscription management
- Users
- Adding and deploying hosts
- Create LC, CV,puppet,...
- actually what Foreman Admin does for the whole Foreman today, but only for it's own Organization (esp. no access to other Orgs)
to ensure that the actual Foreman Admin is allowed only to create new Organization and the Org Admin users.
In other words, a total separation between the Foreman Admin and Orgs Admins is desired.
The preferred workflow we aim to achieve:
- Create different Orgs as Foreman Admin and create Org Admins for it
- Upload Manifest as Foreman Admin and delegate Subscriptions (also partly) to different Orgs
- Check that Foreman Admin is not able to enter any Org (i.e. can only view that the Org is there and which Admins
are assigned to it, but nothing more)
- Login as Org admin and check that all functionality today sat admin has is there (except entering different Orgs)
- Especially check that delegated Subscriptions and associated repositories are available
- Subject changed from Improve multitenancy with admin for organization
to Improve multitenancy with admin for organization
- Category set to Users, Roles and Permissions
- Target version set to 115
This seems rather vague, can you be more precise about what you're proposing? Permissions and roles should allow you to create a type of admin user that can only create orgs, locations, and users, and another role that can manage resources assigned to certain orgs.
Dominic Cleal wrote:
This seems rather vague, can you be more precise about what you're proposing? Permissions and roles should allow you to create a type of admin user that can only create orgs, locations, and users, and another role that can manage resources assigned to certain orgs.
This aims to improve granularity for roles/permissions system to flexibly support specific multitenancy needs.
It should be possible to create a 'Foreman admin' role, that would be allowed to manage taxonomies and assign subscriptions. 'Foreman admin' should also be allowed to create new users with appropriate rights to manage resources only within specific taxonomies, thus creating 'Organization X admin' role. 'Foreman admin' should not be able to manage any resource within any organization, except for users, their permissions and inevitably also user roles. Note that despite their names, both 'Foreman admin' and 'Organization X admin' are regular users and do not have admin flag set to true, because permissions for admin are not checked and they have access everywhere. But regular users cannot assign permissions (there are no permissions to delegate permissions), only admin can do that. Maybe I missed something, but I was not able to achieve the desired outcome and therefore I consider this a valid RFE.
Ondřej Pražák wrote:
But regular users cannot assign permissions (there are no permissions to delegate permissions), only admin can do that.
*_roles permissions allow new roles to be created or to edit roles, which allows permission assignment.
Non-admin users with *_users permissions can assign roles that they themselves have, but doesn't permit assignment of other roles to users (so as to prevent escalation of the user's permissions)
Maybe I missed something, but I was not able to achieve the desired outcome and therefore I consider this a valid RFE.
Perhaps, but I'm trying to ensure this is precise enough to be fixed. What is the part that isn't implemented? The assignment of permissions to roles by non-admin users (which I think is possible), or the assignment of non-owned roles to users?
You are right, the assignment of permissions to roles by non-admin users is possible, I was missing *_filters permissions. The assignment of non-owned roles to users needs to be implemented.
- Subject changed from Improve multitenancy with admin for organization to Allow non-admin user to assign roles they don't have to another user
Note that this is denied due to #2630.
- Status changed from New to Closed
- Triaged set to No
I think this is dupe of linked issue
- Status changed from Closed to Duplicate
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by