You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When logged in as a user with restricted administrator role, the "Assign Global Roles" button is missing from the UI. Customer is seeing this when Azure AD is enabled. Can also reproduce on an environment with GitHub authentication enabled. According to docs at [https://rancher.com/docs/rancher/v2.6/en/admin-settings/rbac/global-permissions/#restricted-admin] the restricted admin should have this permission: Assign Global role to groups with settings Yes/No/Yes/As Allowed by the Webhook
Business impact:
Customers using Hosted Rancher (which use Restricted Administrator users) cannot use the functionality to assign a global role to an auth provider group.
Troubleshooting steps:
On support.rancher.cloud, logged in as a GitHub user with Administrator role) and compare with a GitHub user with Restricted Administator role. The restricted admin user did not have the Assign Global Roles button.
Repro steps:
Install Rancher with restricted admin helm chart option turned on.
Enable auth provider such as Azure AD or GitHub
Navigate to Users & Authentication -> Group
Workaround:
Is workaround available and implemented? no
Actual behavior:
Restricted admin users cannot assign global roles.
From the Ember UI, as a (restricted admin) if they navigate to /g/security/accounts/groups they can see the button and create a group assignment. So appears to be a "new UI" issue.
The text was updated successfully, but these errors were encountered:
Thus far, I've tested this with a restricted admin local user and verified I see the assignment button. I don't, however, have a restricted admin I can use with Azure AD. checking with @richard-cox regarding further testing - need a restricted admin azure ad user or an alternative.
@ronhorton I think you've identified a separate issue. The feature is only applicable when a non-local auth provider is configured (the local auth provider i don't think will ever return groups to assign to). I'll create something in GH to track this. In terms of testing, as per David's suggestion, using the Github Auth provider would work. That should ensure no groups are returned in the request to /v3/principals and the new way of showing the button works correctly.
Internal reference: SURE-3819
Issue description:
When logged in as a user with restricted administrator role, the "Assign Global Roles" button is missing from the UI. Customer is seeing this when Azure AD is enabled. Can also reproduce on an environment with GitHub authentication enabled. According to docs at [https://rancher.com/docs/rancher/v2.6/en/admin-settings/rbac/global-permissions/#restricted-admin] the restricted admin should have this permission:
Assign Global role to groups with settings Yes/No/Yes/As Allowed by the Webhook
Business impact:
Customers using Hosted Rancher (which use Restricted Administrator users) cannot use the functionality to assign a global role to an auth provider group.
Troubleshooting steps:
On support.rancher.cloud, logged in as a GitHub user with Administrator role) and compare with a GitHub user with Restricted Administator role. The restricted admin user did not have the Assign Global Roles button.
Repro steps:
Workaround:
Is workaround available and implemented? no
Actual behavior:
Restricted admin users cannot assign global roles.
Expected behavior:
Restricted admin users can assign global roles (as stated in https://rancher.com/docs/rancher/v2.6/en/admin-settings/rbac/global-permissions/#restricted-admin)
From the Ember UI, as a (restricted admin) if they navigate to /g/security/accounts/groups they can see the button and create a group assignment. So appears to be a "new UI" issue.
The text was updated successfully, but these errors were encountered: