Feature #19342

Allow non-admin user to assign roles they don't have to another user

Added by Ondřej Pražák 2 months ago. Updated about 1 month ago.

Status:New
Priority:Normal
Assigned To:-
Category:Authorization
Target version:Team Marek backlog
Difficulty: Bugzilla link:1326901
Found in release: Pull request:
Story points-
Velocity based estimate-

Description

It would be nice if there was a separation between Foreman Admin and Org Admins, as in a multi tenancy environment.
Foreman Admin should be able to able to:
  • Adding Organizations and Org Admins for it
  • Delegating Subscriptions to Orgs
  • Admin should only be allowed to create Orgs and Admin user for it, but not manage actual content (hosts, puppet, LC, CV,...)
Orgs Admins managing the actual contents in the Organization, like:
  • Subscription management
  • Users
  • Adding and deploying hosts
  • Create LC, CV,puppet,...
  • actually what Foreman Admin does for the whole Foreman today, but only for it's own Organization (esp. no access to other Orgs)

to ensure that the actual Foreman Admin is allowed only to create new Organization and the Org Admin users.
In other words, a total separation between the Foreman Admin and Orgs Admins is desired.

The preferred workflow we aim to achieve:
  • Create different Orgs as Foreman Admin and create Org Admins for it
  • Upload Manifest as Foreman Admin and delegate Subscriptions (also partly) to different Orgs
  • Check that Foreman Admin is not able to enter any Org (i.e. can only view that the Org is there and which Admins
    are assigned to it, but nothing more)
  • Login as Org admin and check that all functionality today sat admin has is there (except entering different Orgs)
  • Especially check that delegated Subscriptions and associated repositories are available

History

#1 Updated by Ondřej Pražák 2 months ago

  • Subject changed from Improve multitenancy with admin for organization to Improve multitenancy with admin for organization
  • Category set to Authorization
  • Target version set to Team Marek backlog

#2 Updated by Dominic Cleal 2 months ago

This seems rather vague, can you be more precise about what you're proposing? Permissions and roles should allow you to create a type of admin user that can only create orgs, locations, and users, and another role that can manage resources assigned to certain orgs.

#3 Updated by Ondřej Pražák about 1 month ago

Dominic Cleal wrote:

This seems rather vague, can you be more precise about what you're proposing? Permissions and roles should allow you to create a type of admin user that can only create orgs, locations, and users, and another role that can manage resources assigned to certain orgs.

This aims to improve granularity for roles/permissions system to flexibly support specific multitenancy needs.

It should be possible to create a 'Foreman admin' role, that would be allowed to manage taxonomies and assign subscriptions. 'Foreman admin' should also be allowed to create new users with appropriate rights to manage resources only within specific taxonomies, thus creating 'Organization X admin' role. 'Foreman admin' should not be able to manage any resource within any organization, except for users, their permissions and inevitably also user roles. Note that despite their names, both 'Foreman admin' and 'Organization X admin' are regular users and do not have admin flag set to true, because permissions for admin are not checked and they have access everywhere. But regular users cannot assign permissions (there are no permissions to delegate permissions), only admin can do that. Maybe I missed something, but I was not able to achieve the desired outcome and therefore I consider this a valid RFE.

#4 Updated by Dominic Cleal about 1 month ago

Ondřej Pražák wrote:

But regular users cannot assign permissions (there are no permissions to delegate permissions), only admin can do that.

*_roles permissions allow new roles to be created or to edit roles, which allows permission assignment.

Non-admin users with *_users permissions can assign roles that they themselves have, but doesn't permit assignment of other roles to users (so as to prevent escalation of the user's permissions)

Maybe I missed something, but I was not able to achieve the desired outcome and therefore I consider this a valid RFE.

Perhaps, but I'm trying to ensure this is precise enough to be fixed. What is the part that isn't implemented? The assignment of permissions to roles by non-admin users (which I think is possible), or the assignment of non-owned roles to users?

#5 Updated by Ondřej Pražák about 1 month ago

You are right, the assignment of permissions to roles by non-admin users is possible, I was missing *_filters permissions. The assignment of non-owned roles to users needs to be implemented.

#6 Updated by Dominic Cleal about 1 month ago

  • Subject changed from Improve multitenancy with admin for organization to Allow non-admin user to assign roles they don't have to another user

Note that this is denied due to #2630.

Also available in: Atom PDF