π rbac: bug while merging roles with permissions and policies
Opened this issue Β· 0 comments
Plugin Name
RBAC
π Description
There is a role with administrator permissions on all entities for the administrators' group. When creating a new role over the user group that includes the administrators and restricts reading entities from the catalog, it is not performing the permission merge and is applying the most restrictive policy instead of merging all the policies that affect that user.
The role owners only have got read catalogo entity with policy $ownerRefs
π Expected behavior
traducir al ingles " el comportamiento esperado es que los administradores no pierdan los permisos de administrador y el resto de usuarios pueda ver las entidades de las que es propietario, al tener un rol administrador y otro rol owner se deberΓa de realizar el mergue de las polΓticas"
The expected behavior is that administrators do not lose their administrator permissions and the rest of the users can see the entities they own. When there is an administrator role and an owner role, the policies should be merged.
π Actual Behavior with Screenshots
"The administrator is losing the policies that allow them to manage backstage and becomes a user who can only see the entities they own."
π Reproduction steps
1 - Go to Rbac
2 - Create a new rol administrator with all permissions all resource types
3 - We add the administrator team.
3 - Veriry we have administration permissions
4 - Create new rol showOwnerCatalot with permission to see user own entities
5 - we add the user group that contains the administrators users.
6 - we create the policy and the rule to show only catalog read entity
7- Create the rule with the entity_owner
8 - Apply the role
9 - my user that is administrator lost all the permissions, (except delete roles) but the user should have continue with all permissions we think,
10 If refres the screen, I show my own entities, not all and i show the rbac menu, i can delete roles but not update and create.
π Provide the context for the Bug.
We are trying to profile the administrator users, and the users who can only see their own entities in the catalog, considering that the administrator users are in the global user group.
π Have you spent some time to check if this bug has been raised before?
- I checked and didn't find similar issue
π’ Have you read the Code of Conduct?
- I have read the Code of Conduct
Are you willing to submit PR?
None