Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-1046

Allow a Team to to create job templates from its own resources only but not all resources from an organization

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      What is the nature and description of the request?

      Job Template rights are not granular enough: either you are an admin of all the Jobs Templates within an Organization, or you can manage individual Job Template.
      This is without taking in account any other resources rights (Projects, Inventories, Credentials).

      I would like to that users cannot modify Job Templates that doesn't belong to their Team.
      Currently, one user with Job Template administrative rights can modify templates that they wouldn't be able to execute anyway.

      This is a violation of the RBAC model and a possible security flaw.

      I would expect to be able to authorize a Team to create their own Job Templates that can use Team's owned resources rights, without interacting with Job Templates of other teams from the same organisation.
      They should be able to modify, create and run their own Job Templates, based on their existing rights on other resources (inventories, projects, credentials, and so on).

      With a folder / file-ownership approach, it would be like this:

      1. One folder per organization with rights set at the organization level for all underlying resources.
      2. One sub-folder within the organization level, per team, with rights set at the team level for all underlying resources within the same folder of the parent organization.
        Currently, it is possible to assign RWX rights to all objects of the organization-folder, or just a single one, but you cannot allow RWX to all future objects created by a Team in the organization (as it would be if you assign the rights to a sub-folder).

      Why does the customer need this? (List the business requirements here)

      Cannot delegate the ability to a Team to create templates, modify the one created without granting rights to modify all the templates of the organization.
      It could be the same with the other resources, but is not as critical.

      Creating multiple organizations to bypass this limit would risk being in a situation where it's getting too complicated to handle: I don't need to assign rights to modify all resources to those kind of teams, only the option to create templates targeting "allowed hosts/pre-defined credentials".

      There is a similar structure with Organizations & Locations in the Satellite Platform, where there are two layers of rights, not just a single one.
      A similar approach in AAP will improve the situation.

              bcoursen@redhat.com Brian Coursen
              rhn-support-mcanu Matteo Canu
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: