-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
1.5.2
-
None
-
False
-
-
False
Description of problem:
I use integration with AD. One user can be members of multiple groups.
Currently I have configured admin users with:
permission: enabled: true rbac: admin: users: - name: group:default/special_admins
But users from this group are included within other groups as well.
I have created the role with the following condition
result: CONDITIONAL
roleEntityRef: 'role:default/Group.Read'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
anyOf:
- rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims:
- $ownerRefs
- rule: IS_ENTITY_KIND
resourceType: catalog-entity
params:
kinds:
- Template
Now when I assign group where is included admin user to this role. My admin users lose their admin permissions and cannot see all catalog items except ones described in conditions I mentioned earlier. Also they cannot edit permissions in UI. There is record unauthorized.
If I remove this role from group with user everything works as expected. I thin we need special case for admin users to ignore other roles where user is included.{}
Steps to Reproduce
- Add group/user as admin/superadmin
- Crete a role with conditions and assign this to other group (not admin) where admin user is included also
Actual results:
Admin user should be special case and ignore other roles.
