Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-1980

Revisit priviledges for /core-service=management/access=authorization

    Details

      Description

      It seems the access control resources (/core-service=management/access=authorization) are addressable by the monitor role:

      [standalone@localhost:9990 /] /core-service=management/access=authorization:read-resource(){roles=monitor}
      {
          "outcome" => "success",
          "result" => {
              "provider" => "simple",
              "use-realm-roles" => false,
              "constraint" => {
                  "application-classification" => undefined,
                  "sensitivity-classification" => undefined,
                  "vault-expression" => undefined
              },
              "role-mapping" => {"SuperUser" => undefined}
          }
      }
      

      I think it should be 'addressable=false' for anybody except SuperUser and Administrator

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  brian.stansberry Brian Stansberry
                  Reporter:
                  heiko.braun Heiko Braun
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: