Bug #21343

Organization admin should he able to work with full multitenancy

Added by Marek Hulán 7 months ago. Updated 5 months ago.

Status:Closed
Priority:Normal
Assigned To:Marek Hulán
Category:Organizations and Locations
Target version:Team Marek Iteration 25
Difficulty: Bugzilla link:1502725
Found in release: Pull request:https://github.com/theforeman/foreman/pull/4917
Story points-
Velocity based estimate-
Release1.17.0Release relationshipAuto

Description

Right now the org admin works "by accident". That works in UI and for API the similar can be achieved by #16363. But in ideal case, available organizations should work based on view_organizations and assign_organizations permissions. While the feature today is limited to a single organization, we should support delegation for multiple organizations.

Reproducing steps (in both UI and API)
0. create a user with org admin role assigned to 2 organizations
1. try creating a new domain
2. it will always fail without any error message in UI, the issue is in fact that the taxonomy assignment is disallowed until user gets view_organizations and assign_organizations permissions

Expected behavior
  • After gets Org admin role (which is assigned to one or more orgs) and he's assigned to these organizations, they can create/edit resources in these.
  • This means organization filters need to be assignable to organizations (requires scoped_search definition)

Related issues

Related to Foreman - Bug #21119: [Hammer] Org Admin user cannot create user though cli Closed 09/27/2017
Duplicated by Foreman - Bug #21998: A user with "Organization admin" role is not able to list... Duplicate 12/17/2017
Blocked by Foreman - Bug #21342: Role needs to be updated if their permissions changed in ... Closed 10/16/2017
Blocked by Foreman - Bug #21629: Taxonomy select box does not print error message Closed 11/10/2017

Associated revisions

Revision 3576f8fb
Added by Marek Hulán 5 months ago

Fixes #21343 - support multiple orgs supported for non-admin users

  • Fixes #21343 - support multiple orgs supported for non-admins

This adds a full support for taxonomies in API for non-admin users. It
fixes the issue with dirty associations module that only track _ids
change. It also makes the nil a valid value for organization_id and
location_id parameters which set "Any context" explictly, so user can
override default context to any. Finally it updates the org admin role
to have permissions to see and edit organizations. That required an
enforcement of taxonomies that are being set as parent as well as
taxonomy filters being searchable by taxonomy_id. So the filter for
e.g. organzations can be correctly scoped for org admin too.

History

#1 Updated by Marek Hulán 7 months ago

  • Blocked by Bug #21342: Role needs to be updated if their permissions changed in new version added

#2 Updated by Marek Hulán 7 months ago

  • Bugzilla link set to 1502725

#3 Updated by The Foreman Bot 7 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4917 added

#4 Updated by Marek Hulán 7 months ago

  • Related to Bug #21119: [Hammer] Org Admin user cannot create user though cli added

#5 Updated by Marek Hulán 7 months ago

  • Target version changed from Foreman - Team Marek Iteration 21 to Foreman - Team Marek Iteration 22

#6 Updated by Marek Hulán 7 months ago

  • Target version changed from Foreman - Team Marek Iteration 22 to Foreman - Team Marek Iteration 23

#7 Updated by Marek Hulán 6 months ago

  • Blocked by Bug #21629: Taxonomy select box does not print error message added

#8 Updated by Marek Hulán 6 months ago

  • Target version changed from Foreman - Team Marek Iteration 23 to Foreman - Team Marek Iteration 24

#9 Updated by Marek Hulán 5 months ago

  • Target version changed from Foreman - Team Marek Iteration 24 to Team Marek Iteration 25

#10 Updated by Ivan Necas 5 months ago

  • Release set to 1.17.0
  • Status changed from Ready For Testing to Closed

#11 Updated by Tomer Brisker 5 months ago

  • Duplicated by Bug #21998: A user with "Organization admin" role is not able to list resources when specifing org id in api added

Also available in: Atom PDF