space is not targetted for a user who has only OrgAuditor role on login

[SrinivasChilveri]

I feel even a user with OrgAuditor role alone supposed to have the read capability of a particular organization users/quoats etc. If its according to design, please do let me know more information regarding the same. Please do find the traces & more info as below.

I have observed the same issue for a user with SpaceAuditor alone, but if a user has OrgAuditor & space Auditor then on login that users its targetted the org & space properly.

root@ubuntu102:~/workspace/diego-release# cf create-org sriniorg Creating org sriniorg as admin... OK

TIP: Use 'cf target -o sriniorg' to target new org root@ubuntu102:~/workspace/diego-release# cf target -o sriniorg

API endpoint: https://api.10.244.0.34.xip.io (API version: 2.34.0) User: admin Org: sriniorg Space: No space targeted, use 'cf target -s SPACE' root@ubuntu102:~/workspace/diego-release# cf create-space srinispace Creating space srinispace in org sriniorg as admin... OK Assigning role SpaceManager to user admin in org sriniorg / space srinispace as admin... OK Assigning role SpaceDeveloper to user admin in org sriniorg / space srinispace as admin... OK

TIP: Use 'cf target -o sriniorg -s srinispace' to target new space root@ubuntu102:~/workspace/diego-release# cf create-space devspace Creating space devspace in org sriniorg as admin... OK Assigning role SpaceManager to user admin in org sriniorg / space devspace as admin... OK Assigning role SpaceDeveloper to user admin in org sriniorg / space devspace as admin... OK

TIP: Use 'cf target -o sriniorg -s devspace' to target new space root@ubuntu102:~/workspace/diego-release# cf create-space testspace Creating space testspace in org sriniorg as admin... OK Assigning role SpaceManager to user admin in org sriniorg / space testspace as admin... OK Assigning role SpaceDeveloper to user admin in org sriniorg / space testspace as admin... OK

TIP: Use 'cf target -o sriniorg -s testspace' to target new space root@ubuntu102:~/workspace/diego-release# cf target -s srinispace

API endpoint: https://api.10.244.0.34.xip.io (API version: 2.34.0) User: admin Org: sriniorg Space: srinispace root@ubuntu102:~/workspace/diego-release# cf org-users sriniorg Getting users in org sriniorg as admin...

ORG MANAGER

BILLING MANAGER

ORG AUDITOR root@ubuntu102:~/workspace/diego-release# cf space-users sriniorg srinispace Getting users in org sriniorg / space srinispace as admin

SPACE MANAGER admin

SPACE DEVELOPER admin

SPACE AUDITOR root@ubuntu102:~/workspace/diego-release#

root@ubuntu102:~/workspace/diego-release# cf create-user UserOrgAuditor PassOrgAuditor Creating user UserOrgAuditor... OK

TIP: Assign roles with 'cf set-org-role' and 'cf set-space-role'

root@ubuntu102:~/workspace/diego-release# cf set-org-role UserOrgAuditor sriniorg OrgAuditor Assigning role OrgAuditor to user UserOrgAuditor in org sriniorg as admin... OK root@ubuntu102:~/workspace/diego-release# cf org-users sriniorg Getting users in org sriniorg as admin...

ORG MANAGER

BILLING MANAGER

ORG AUDITOR UserOrgAuditor root@ubuntu102:~/workspace/diego-release#

root@ubuntu102:~/workspace/diego-release# CF_TRACE=true cf login -u UserOrgAuditor -p PassOrgAuditor API endpoint: https://api.10.244.0.34.xip.io

REQUEST: [2015-09-09T18:28:44+08:00] GET /v2/info HTTP/1.1 Host: api.10.244.0.34.xip.io Accept: application/json Content-Type: application/json User-Agent: go-cli 6.12.3-c0c9a03 / linux

RESPONSE: [2015-09-09T18:28:44+08:00] HTTP/1.1 200 OK Content-Length: 586 Content-Type: application/json;charset=utf-8 Date: Wed, 09 Sep 2015 10:28:44 GMT Server: nginx X-Cf-Requestid: 85b056e4-7fb4-47ef-77be-b913e1dc86db X-Content-Type-Options: nosniff X-Vcap-Request-Id: e9b6a3b5-7770-4473-53e6-b816a725d89c::cea7a909-62ef-464b-b83c-621955e37f25

{"name":"vcap","build":"2222","support":"http://support.cloudfoundry.com","version":2,"description":"Cloud Foundry sponsored by Pivotal","authorization_endpoint":"http://login.10.244.0.34.xip.io","token_endpoint":"https://uaa.10.244.0.34.xip.io","min_cli_version":null,"min_recommended_cli_version":null,"api_version":"2.34.0","app_ssh_endpoint":"ssh.10.244.0.34.xip.io:2222","app_ssh_host_key_fingerprint":"a6:d1:08:0b:b0:cb:9b:5f:c4:ba:44:2a:97:26:19:8a","logging_endpoint":"wss://loggregator.10.244.0.34.xip.io:443","doppler_logging_endpoint":"wss://doppler.10.244.0.34.xip.io:4443"}

REQUEST: [2015-09-09T18:28:44+08:00] GET /login HTTP/1.1 Host: login.10.244.0.34.xip.io Accept: application/json Content-Type: application/json User-Agent: go-cli 6.12.3-c0c9a03 / linux

RESPONSE: [2015-09-09T18:28:44+08:00] HTTP/1.1 200 OK Content-Length: 650 Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store, max-age=0, must-revalidate Cache-Control: no-cache, no-store, max-age=0 Content-Language: en-US Content-Type: application/json;charset=UTF-8 Date: Wed, 09 Sep 2015 10:28:44 GMT Expires: 0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Pragma: no-cache Server: Apache-Coyote/1.1 Strict-Transport-Security: max-age=31536000 X-Cf-Requestid: deed7b39-fdfa-4eb6-7cf0-a837d03ac130 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block

{"app":{"version":"2.5.1"},"createAccountLink":"https://console.10.244.0.34.xip.io/register","forgotPasswordLink":"https://console.10.244.0.34.xip.io/password_resets/new","zone_name":"uaa","links":{"uaa":"http://uaa.10.244.0.34.xip.io","passwd":"https://console.10.244.0.34.xip.io/password_resets/new","login":"http://login.10.244.0.34.xip.io","register":"https://console.10.244.0.34.xip.io/register"},"entityID":"login.10.244.0.34.xip.io","commit_id":"eae6724","idpDefinitions":[],"prompts":{"username":["text","Email"],"password":["password","Password"]},"linkCreateAccountShow":true,"fieldUsernameShow":true,"timestamp":"2015-08-05T00:00:41+0000"} Authenticating...

REQUEST: [2015-09-09T18:28:44+08:00] POST /oauth/token HTTP/1.1 Host: login.10.244.0.34.xip.io Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/x-www-form-urlencoded User-Agent: go-cli 6.12.3-c0c9a03 / linux

grant_type=password&password=[PRIVATE DATA HIDDEN]&scope=&username=UserOrgAuditor

RESPONSE: [2015-09-09T18:28:44+08:00] HTTP/1.1 200 OK Content-Length: 1903 Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store, max-age=0, must-revalidate Cache-Control: no-store Content-Type: application/json;charset=UTF-8 Date: Wed, 09 Sep 2015 10:28:44 GMT Expires: 0 Pragma: no-cache Pragma: no-cache Server: Apache-Coyote/1.1 X-Cf-Requestid: 0afd1a90-af7b-468f-6807-8e490fc2fb6c X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block

{"access_token":"[PRIVATE DATA HIDDEN]","token_type":"bearer","refresh_token":"[PRIVATE DATA HIDDEN]","expires_in":599,"scope":"cloud_controller.read password.write cloud_controller.write openid","jti":"23bb5171-c8c7-4eb1-ae4e-9dce841f4d07"} OK

REQUEST: [2015-09-09T18:28:44+08:00] GET /v2/organizations HTTP/1.1 Host: api.10.244.0.34.xip.io Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/json User-Agent: go-cli 6.12.3-c0c9a03 / linux

RESPONSE: [2015-09-09T18:28:44+08:00] HTTP/1.1 200 OK Content-Length: 1502 Content-Type: application/json;charset=utf-8 Date: Wed, 09 Sep 2015 10:28:44 GMT Server: nginx X-Cf-Requestid: 6952b636-6a49-4c9f-5380-0af290d20cb8 X-Content-Type-Options: nosniff X-Vcap-Request-Id: 954a2949-2acb-4fa3-792f-e16772b01be9::33308695-26b7-491e-9597-752a9c8df0bb

{ "total_results": 1, "total_pages": 1, "prev_url": null, "next_url": null, "resources": [ { "metadata": { "guid": "94df7796-1bf4-4485-bb97-47e0d2eebd01", "url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01", "created_at": "2015-09-09T10:17:47Z", "updated_at": null }, "entity": { "name": "sriniorg", "billing_enabled": false, "quota_definition_guid": "75e1cd9c-a3c1-49cc-98d8-95e28c81638f", "status": "active", "quota_definition_url": "/v2/quota_definitions/75e1cd9c-a3c1-49cc-98d8-95e28c81638f", "spaces_url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/spaces", "domains_url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/domains", "private_domains_url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/private_domains", "users_url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/users", "managers_url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/managers", "billing_managers_url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/billing_managers", "auditors_url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/auditors", "app_events_url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/app_events", "space_quota_definitions_url": "/v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/space_quota_definitions" } } ] } Targeted org sriniorg

REQUEST: [2015-09-09T18:28:44+08:00] GET /v2/organizations/94df7796-1bf4-4485-bb97-47e0d2eebd01/spaces?inline-relations-depth=1 HTTP/1.1 Host: api.10.244.0.34.xip.io Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/json User-Agent: go-cli 6.12.3-c0c9a03 / linux

RESPONSE: [2015-09-09T18:28:44+08:00] HTTP/1.1 200 OK Content-Length: 107 Content-Type: application/json;charset=utf-8 Date: Wed, 09 Sep 2015 10:28:44 GMT Server: nginx X-Cf-Requestid: 824e0b09-0450-405c-7b4b-37d899835937 X-Content-Type-Options: nosniff X-Vcap-Request-Id: 553deda7-6cee-411e-6a83-8d287fdcfdb6::443dcc3b-90ed-4136-aa7c-1e3bfd777f75

{ "total_results": 0, "total_pages": 1, "prev_url": null, "next_url": null, "resources": [

] }

API endpoint: https://api.10.244.0.34.xip.io (API version: 2.34.0) User: UserOrgAuditor Org: sriniorg Space: No space targeted, use 'cf target -s SPACE'

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. You can view the current status of your issue at: https://www.pivotaltracker.com/story/show/102999886.

[dieucao]

@SrinivasChilveri I'm not sure I understand your question. If you don't have permissions on a space, there are no spaces to target. Currently an org auditor does not have permissions to view all spaces from the org. There are plans to review in the future roles and how they work, but this is the current state.

Could you clarify what commands you're currently using and what you would expect?

[SrinivasChilveri]

Hi @dieucao , Thanks for your reply. I thought it already provides the view permissions to all the spaces of that organization in which the user is OrgAuditor. I think the view permissions to all spaces of that orgnization ( means org-users , all space users, quotas, quota usage, space quotas, space quota usages etc )...in general org auditor has permissions of space auditor of all the spaces of that organization. I would like to know the future plans regarding the same.

Thanks & Regards, SriniCH.

[dieucao]

@SrinivasChilveri Yes, that's a common confusion about how the roles work based on patterns that other websites have. I think it would make sense if an org manager automatically has space manager privileges for all spaces in the org and similarly for an org auditor. This is not work that we have prioritized in the next 3 months and requires some investigation as to how this type of change could be introduced and if it makes sense to the community. It is possible we might look into this in the first half of next year, but it's hard to say at this point. If you are very interested in this change, I could discuss with the team what approaches might be feasible and if it's something we could accept a PR on assuming the community agrees this is a change that makes sense. Please let me know.

[dieucao]

Closing this issue as it's been 6 days. If you'd like to discuss doing this via PR, or have other questions please open a new issue.