aalves08
commented
6 months ago UPDATE: This will need investigation to see if schemas have the correct information in terms of RBAC. If so, then the proposed UX solution is:
Yes, disabling the Edit functionality for these users is correct. I don't think we need to add any additional information, or banner, etc.
Based on SURE information
Internal reference: SURE-8160
Setup
Describe the bug
When a non-admin user, whether with a local auth provider or external auth provider, navigates through Rancher UI -> Users&Authentication, he can see his user object there.
If the user clicks on the 'Edit Config' option and tries to edit any value like a password, a permission error is shown to the user. The 'Edit config' option should not be shown to the users unless they are admins or have the correct permissions.
To Reproduce
Login to the Rancher UI using a local auth user or IDP user and navigate through Rancher UI -> Users&Authentication
After clicking the three dots, the user will see the 'Edit config' option. However, if a user tries to edit anything (password for example), it will show a 'Forbidden: permission denied' error.
Result A user with insufficient permissions can see the 'Edit config' option for the user object.
Expected Result
The 'Edit config' option for user objects should not be available for users who do not have the right permissions.
Screenshots
Additional context
Happens to users with Global Permissions
Standard UserandUser-Base