Cluster owner unable to modify Project members

[nwmac]

Internal Reference: SURE-6940

I have a cluster where an admin with Cluster Owner entitlements is unable to manage members of projects in the same cluster.

I do not even see the "Members" tab when creating/modifying a project.

[gaktive]

Looks related to https://github.com/rancher/dashboard/issues/10215

[gaktive]

Workaround: Create a new custom role that includes read permissions for role templates ("get", "list", "watch" on "roletemplates" in "management.cattle.io")

Backend took a look and reported:

I was able to add a project member to one of the projects through Norman. Because of this (and the note in the issue , I suspect that this is a UI issue, due to the user not being able to see RoleTemplates. Similar to what was described in the issue, when I added the "Manage Roles" global role to the user (which gives * on RoleTemplates), the issue somewhat resolved and I was able to at least see the buttons to add users (though the principal search functionality was also non-functional).

E2E should be able to cover it.

[gaktive]

@richard-cox to investigate in this area some more and we can groom again.

[richard-cox]

I've added a comment in JIRA. Waiting customer feedback.

Very roughly

If the global role is the issue, it's similar to https://github.com/rancher/dashboard/issues/9804 (also https://github.com/rancher/dashboard/issues/10215) where a user with only the global user-base role and cluster-owner cluster role was expected to manage the cluster. The user-base role lacks permissions that are required

[richard-cox]

Marking this as blocked on our side (https://github.com/rancher/dashboard/issues/10787), from that the solution may not be UI related