StepBee opened a new issue #5781:
URL: https://github.com/apache/cloudstack/issues/5781
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
API
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main
branch.
-->
~~~
4.16.0
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network,
advanced networking, etc. N/A otherwise
-->
N/A
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
N/A
##### SUMMARY
<!-- Explain the problem/feature briefly -->
A new role, for example "Domain Admin Restricted", is created by a Root
Admin Account based on existing role "Domain Admin"
Some functionality is restricted of the role "Domain Admin Restricted" with
setting "Deny" for some APIs, for example createServiceOffering.
A new Account/User, DAJonDoeRestricted, is created based on the role "Domain
Admin Restricted".
The user "DAJoenDoeRestricted" is not allowed to execute
createServiceOffering.
But the user DAJoenDoeRestricted is allowed to create a new Account based on
the default role "Domain Admin".
For this user, the deny rules of role Domain Admin Restricted are not
inherited and do not apply.
The newly created user has higher rights than the restricted user.
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal
test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
Create Role "Domain Admin Restricted" based on "Domain Admin"
Restrict functionality by choosing Deny for "createServiceOffering"
Create an Account "DAJonDoeRestricted" based on "Domain Admin Restricted"
Login as account "DAJonDoeRestricted"
Create a new account "DAJaneDoeNotrestricted" based on Role "Domain Admin"
Logout user "DAJonDoeRestricted"
Login user "DAJaneDoeNotrestricted"
User "DAJonDoeRestricted" is not allowed to issue createServiceOffering.
User "DAJaneDoeNotrestricted" is allowed to issue createServiceOffering.
<!-- Paste example playbooks or commands between quotes below -->
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
Accounts should not be able to create accounts with rights for more
functionality than they are allowed themselves.
Restrictions should be inherited or the ability to create accounts based on
Roles with more functionality rights should not be given.
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
Accounts based restricted roles, which were based on Domain Admin role, are
able to create Accounts with original/unrestricted Domain Admin functionality
rights.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
