Title: Dynamic Role Model partly allows users to create users with more rights · Issue #5781 · apache/cloudstack · GitHub
Open Graph Title: Dynamic Role Model partly allows users to create users with more rights · Issue #5781 · apache/cloudstack
X Title: Dynamic Role Model partly allows users to create users with more rights · Issue #5781 · apache/cloudstack
Description: ISSUE TYPE Bug Report COMPONENT NAME API CLOUDSTACK VERSION 4.16.0 CONFIGURATION N/A OS / ENVIRONMENT N/A SUMMARY A new role, for example "Domain Admin Restricted", is created by a Root Admin Account based on existing role "Domain Admin"...
Open Graph Description: ISSUE TYPE Bug Report COMPONENT NAME API CLOUDSTACK VERSION 4.16.0 CONFIGURATION N/A OS / ENVIRONMENT N/A SUMMARY A new role, for example "Domain Admin Restricted", is created by a Root Admin Accou...
X Description: ISSUE TYPE Bug Report COMPONENT NAME API CLOUDSTACK VERSION 4.16.0 CONFIGURATION N/A OS / ENVIRONMENT N/A SUMMARY A new role, for example "Domain Admin Restricted", is created by a Root A...
Opengraph URL: https://github.com/apache/cloudstack/issues/5781
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Dynamic Role Model partly allows users to create users with more rights","articleBody":"\u003c!--\r\nVerify first that your issue/request is not already reported on GitHub.\r\nAlso test if the latest release and main branch are affected too.\r\nAlways add information AFTER of these HTML comments, but no need to delete the comments.\r\n--\u003e\r\n\r\n##### ISSUE TYPE\r\n\u003c!-- Pick one below and delete the rest --\u003e\r\n * Bug Report\r\n\r\n\r\n##### COMPONENT NAME\r\n\u003c!--\r\nCategorize the issue, e.g. API, VR, VPN, UI, etc.\r\n--\u003e\r\n~~~\r\nAPI\r\n~~~\r\n\r\n##### CLOUDSTACK VERSION\r\n\u003c!--\r\nNew line separated list of affected versions, commit ID for issues on main branch.\r\n--\u003e\r\n\r\n~~~\r\n4.16.0\r\n~~~\r\n\r\n##### CONFIGURATION\r\n\u003c!--\r\nInformation about the configuration if relevant, e.g. basic network, advanced networking, etc. N/A otherwise\r\n--\u003e\r\nN/A\r\n\r\n##### OS / ENVIRONMENT\r\n\u003c!--\r\nInformation about the environment if relevant, N/A otherwise\r\n--\u003e\r\nN/A\r\n\r\n##### SUMMARY\r\n\u003c!-- Explain the problem/feature briefly --\u003e\r\nA new role, for example \"Domain Admin Restricted\", is created by a Root Admin Account based on existing role \"Domain Admin\"\r\nSome functionality is restricted of the role \"Domain Admin Restricted\" with setting \"Deny\" for some APIs, for example createServiceOffering.\r\nA new Account/User, DAJonDoeRestricted, is created based on the role \"Domain Admin Restricted\".\r\nThe user \"DAJonDoeRestricted\" is not allowed to execute createServiceOffering.\r\nBut the user DAJonDoeRestricted is allowed to create a new Account based on the default role \"Domain Admin\".\r\nFor this user, the deny rules of role Domain Admin Restricted are not inherited and do not apply.\r\nThe newly created user has higher rights than the restricted user.\r\n\r\n##### STEPS TO REPRODUCE\r\n\u003c!--\r\nFor bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.\r\n\r\nFor new features, show how the feature would be used.\r\n--\u003e\r\nCreate Role \"Domain Admin Restricted\" based on \"Domain Admin\"\r\nRestrict functionality by choosing Deny for \"createServiceOffering\"\r\nCreate an Account \"DAJonDoeRestricted\" based on \"Domain Admin Restricted\"\r\nLogin as account \"DAJonDoeRestricted\"\r\nCreate a new account \"DAJaneDoeNotrestricted\" based on Role \"Domain Admin\"\r\nLogout user \"DAJonDoeRestricted\"\r\nLogin user \"DAJaneDoeNotrestricted\"\r\n\r\nUser \"DAJonDoeRestricted\" is not allowed to issue createServiceOffering.\r\nUser \"DAJaneDoeNotrestricted\" is allowed to issue createServiceOffering.\r\n\r\n\u003c!-- Paste example playbooks or commands between quotes below --\u003e\r\n\r\n\r\n\u003c!-- You can also paste gist.github.com links for larger files --\u003e\r\n\r\n##### EXPECTED RESULTS\r\n\u003c!-- What did you expect to happen when running the steps above? --\u003e\r\n\r\n\r\nAccounts should not be able to create accounts with rights for more functionality than they are allowed themselves.\r\nRestrictions should be inherited or the ability to create accounts based on Roles with more functionality rights should not be given.\r\n\r\n\r\n##### ACTUAL RESULTS\r\n\u003c!-- What actually happened? --\u003e\r\n\r\n\u003c!-- Paste verbatim command output between quotes below --\u003e\r\n\r\nAccounts based restricted roles, which were based on Domain Admin role, are able to create Accounts with original/unrestricted Domain Admin functionality rights.\r\n\r\n","author":{"url":"https://github.com/StepBee","@type":"Person","name":"StepBee"},"datePublished":"2021-12-15T17:56:45.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":11},"url":"https://github.com/5781/cloudstack/issues/5781"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:315176a3-ada5-a0e8-b763-bf27ffb98c45 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 8BDA:35E3EC:75A52:A7CBB:6A4CC3F2 |
| html-safe-nonce | b8f879007e58c98e2a89111475415774bda09d10f621cb748c3efb49da256606 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4QkRBOjM1RTNFQzo3NUE1MjpBN0NCQjo2QTRDQzNGMiIsInZpc2l0b3JfaWQiOiI2Mjg4NDIzODk2NjA2MzYwNTYyIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 167207faddae97f1afa57d259654d01db52713b1bef8bd26a003f55eefef1bdc |
| hovercard-subject-tag | issue:1081324631 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/5781/issue_layout |
| twitter:image | https://opengraph.githubassets.com/93a59dff2d25cd990d376aa119df45ebc070344485551f174197c18c91757810/apache/cloudstack/issues/5781 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/93a59dff2d25cd990d376aa119df45ebc070344485551f174197c18c91757810/apache/cloudstack/issues/5781 |
| og:image:alt | ISSUE TYPE Bug Report COMPONENT NAME API CLOUDSTACK VERSION 4.16.0 CONFIGURATION N/A OS / ENVIRONMENT N/A SUMMARY A new role, for example "Domain Admin Restricted", is created by a Root Admin Accou... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | StepBee |
| hostname | github.com |
| expected-hostname | github.com |
| None | 3d11bb817438277de2a940854450e83a7d32b6aeb5014e9e6b00a6423900251c |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | d0da0eb92994395299ed4450bf67b0373005be36 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width