Bug #10170
openUnable to protect smart class parameters with role based access
Description
On Foreman 1.7.3 I have an issue where I am not able to restrict access to smart class param overrides & matches to specific organisations. I.e if organisation A created a smart class parameter matcher on the ntp class, organisation B should not be able to see that or edit/delete it.
What I did:
I created two organisations, each with access to specific hosts. I then added the ntp puppet class to one group of hosts owned by organisation A and added a matcher in the smart class parameters for the class, whilst logged in as a user belonging to organisation A.
I logged in as a user from Organisation B who is only able to see hosts belonging to Organisation B. I then went to the puppet classes menu, and accessed the ntp smart class parameters. I could see the override and matcher values that were generated by organisation A.
Seeing this would be an issue in some use cases, I attempted to add a new role which granted access to smart class parameters specifically to parameters created by an organisation. I was unable to do so because I was unable to filter the Parameter resource type in a Role.
What I expected to happen:
I expected to be able to restrict view, add, edit and delete actions on smart class parameters to within the organisation a user belongs to, preventing users from being able to see smart class params belonging to other organisations in the same way that hosts can be isolated to an organisation.
Updated by Dominic Cleal about 9 years ago
- Category set to Organizations and Locations