Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make space roles assignable to users which have ANY org role #3377

Open
svkrieger opened this issue Aug 7, 2023 · 0 comments
Open

Make space roles assignable to users which have ANY org role #3377

svkrieger opened this issue Aug 7, 2023 · 0 comments
Labels
enhancement unscheduled

Comments

@svkrieger
Copy link
Contributor

svkrieger commented Aug 7, 2023
edited
Loading

Issue

Assigning space roles to users is only possible as long as the user has the organization_user role. Even when the user has other org roles like organization_manager, space roles cannot be assigned. Together with the inconsistent handling of this role in the cf cli this gets confusing to users.

Context

The V2 API assigned the organization_user automatically when assigning any org or space role to a user. V3 does not do so anymore (which is good).

CF CLI inconsistency:
The CF CLI does create the org user role whenever set-space-role is executed. When removing the space roles from the user, the org user role remains and cannot easily be removed by the unset-org-role, but has to be deleted via a cf curl -X DELETE /v3/roles.... In this regards the cf cli is inconsistent. I opened an issue regarding this in the CF CLI repo (cloudfoundry/cli#2496)

Issue with API and suggested improvement:
From an API point of view it would be favourable to be able to assign space roles to a user who already has any org role and not be limited to the org user role. So for example if a user already has the org manager role, it should be possible to give that user space roles.
On deletion of the org user role, currently the CC also checks for space roles. If space roles are assigned to the user, the org user role cannot be removed. In this case it would also be better to check for existing space roles only when the last org role is requested to be removed. So e.g. a user has the org user and org manager role. If the deletion of the org user or org manager role is requested it should succeed, because one org role is still remaining, which gives access to the org and therefore access to the spaces. If, in a second request, the last org role is requested to be deleted it should fail if the user still has space roles in that org assigned.

Possible blockers:
As the V2 API is still in use and hasn't been removed completely, it needs to be checked whether this change could be implemented in a backwards compatible way.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement unscheduled
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cf-gitbot @FloThinksPi @svkrieger