As I global auditor, I'm unable to add users to an org where I'm org manager

[pburkholder]

Stratos Version

3.2.1

Frontend Deployment type

• [x] Cloud Foundry Application (cf push)
• [ ] Kubernetes, using a helm chart
• [ ] Docker, single container deploying all components
• [ ] npm run start
• [ ] Other (please specify below)

Backend (Jet Stream) Deployment type

• [x] Cloud Foundry Application (cf push)
• [ ] Kubernetes, using a helm chart
• [ ] Docker, single container deploying all components
• [ ] Other (please specify below)

Expected behaviour

I should see the icon to add users:

Actual behaviour

I don't see the icon to add users:

Steps to reproduce the behavior

Not sure, but I'm the only on my team with global auditor privileges so we suspect that supersedes that fact that I'm org-manager for this org and can add people from the CLI

[richard-cox]

Hi @pburkholder , I don't believe this is a bug. We prioritise roles with global coverage, like admin and global auditor, above other roles such as org manager. As the global auditor is a 'read only' role (see below) we disallow actions like changing roles that result in an update to cf resources.

From https://docs.cloudfoundry.org/concepts/roles.html Global Auditor: Read-only access to all Cloud Controller API resources except for secrets, such as environment variables. The Global Auditor role cannot access those values. Assigned the cloud_controller.global_auditor scope in UAA.

I'll admit it is very weird that the cf cli allows this, but I suspect it might be a scope caching issue deep down in cf? Both the cli and stratos hit the same issue, but in both cases reconnecting (cf login and stratos connect endpoint) will refresh the token and get the correct scopes.

[pburkholder]

Thanks for the update @richard-cox. I'll stand by my "bug" designation. It makes sense to me that the specific "org-manager for compliance-org" supersedes the "global auditor" privileges in the context of that one org. So I think what the CLI does, and what the API allows, are correct.

I also understand that what an API allows is not always the same as what you can represent in a GUI, so I won't quibble if y'all make this a low-priority bug (also given the small audience of impacted people).