search

cuba-platform / multitenancy-addon

Implementation of a single database multi-tenancy support for CUBA applications.
Apache License 2.0
8 stars 9 forks source link

Impossible to view Users, Roles, User Groups menu items by user with tenant-admin-role #56

Closed maistrenkoIulia closed 2 years ago

maistrenkoIulia commented 4 years ago

Environment

CUBA Platform version: 7.2.8 CUBA Studio plugin version: 15.0.SNAPSHOT2597-202 IntelliJ version: IntelliJ IDEA 2020.2 (Community Edition)

Description of the bug or enhancement

Add the design-time role tenant-user-manager for users with the tenant, who has screen access Administration and entity access sec$MultipleTarget,sec$OperationTarget.

Add @Deprecated annotation for TenantsAdminRole.

Minimal reproducible example

  1. user 1 has two predefined roles (tenant-admin-role, default-tenant-role) for tenant-admin-role Users, Access groups, Roles screens are alloved (corresponding entities, uttributes are also allowed), but Administration screen isn`t allowed login by user 1 (password = 1)

    Expected behavior:

    Users, Roles, User Groups menu items should be visible

    Actual behavior:

    no menu items from Aministration section are visible multitenant.zip image

  2. for tenant-admin-role need to add permission for OperationPermissionTarget entity, otherwise user see empty strings during create new role image

  3. User with yentant role should be able to see all assigned roles in user editor (now there are empty strings instead of non-tentant roles)

fmvalsera commented 4 years ago

I would say your issue is related to this one #55 previously reported.

gorbunkov commented 3 years ago

tenant-admin-role should probably be deprecated. The new role tenant-user-management-role should be introduced. The reason for that is because "admin" term may give the wrong impression that the role grants everything. However, the role should only grant permissions for managing users, groups and roles within the tenant.

"Global" database roles (roles without tenantId created by global admin) should not work. If the application needs roles available in all tenants, design-time roles (annotated classes) must be used. This must be written in a README.

JackyLee818 commented 3 years ago

tenant-admin-role should probably be deprecated. The new role tenant-user-management-role should be introduced. The reason for that is because "admin" term may give the wrong impression that the role grants everything. However, the role should only grant permissions for managing users, groups and roles within the tenant.

May I know if there is any timeline in fixing this bug, or implementing the new role "tenant-user-management-role"?