Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-2476

Normal users cannot create labels "You do not have permission to perform this action"

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      >Steps to reproduce:
      [1] Create a normal user that is a member of a Team
      [2] Give that Team the below roles on an Organization
      Organization Project Admin
      Organization Credential Admin
      Organization WorkflowJobTemplate Admin
      Organization NotificationTemplate Admin
      Organization JobTemplate Admin
      Organization ExecutionEnvironment Admin
      EDA Organization Project Admin
      Organization Activation Admin
      Organization Eda Credential Admin
      Organization Decision Environment Admin
      Organization Event Stream Admin
      [3] Create a Template with a Project from the same Organization.
      [4] Fill minimal details > Save > Should save fine.
      [5] Now edit the Template and create a new label > Save
      Then Error with "You do not have permission to perform this action."
      FYI...Test screenshot attached. Tested it and be able to reproduce the same issue.

      >Investigation:
      It seems that the user tried to create label, and it failed because the user is not assigned that organization.
      As per the following POST data, the user needs to access the organization. So the user needs to be assigned to that organization.
      https://${AAP_URL}/api/controller/v2/labels/
      https://${AAP_URL}/api/controller/v2/job_templates/${ID}/labels/

      { "name": "", "organization": null }

      >Workaround:
      [1] Confirm what organization is assigned to the user (Dashbard > Access Management > Users > Choose your user > Organizations).
      [2] Specify the organization to which the project containing the job template belongs.
      This should grant the minimum necessary permissions for the organization itself, so label creation should succeed.
      So, labels are paired with organizations, so it doesn't work unless the user belongs to one.
      Note: This isn't just limited to AAP 2.6, it's the same for all previous AAP versions too.

      >The customer's Expectation for this RFE:
      The customer does not operate under a single Organization and they grant certain Organization Admin permissions to Teams. A user can be a member of one or many Teams and are not assigned to a specific Organization. But it sounds like it would be not acceptable for an end user to have their account updated to a different Orgs just to assign labels to Templates.
      Therefore, the customer expect to allow users to add labels to templates regardless of whether they are assigned to a specific organization.

        1. Screenshot_For_error_message.png
          153 kB
          kevin kim

              Unassigned Unassigned
              rhn-support-seokim kevin kim
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: