Self service portal catalogs is empty for non admin user [SOLVED]

automate

#1

Hi, I have weird issue with self service portal on gaprindashvili-4.20180710132129 - non admin user does not see any catalog item in self service portal.

My test setting seems simple - one catalog item with 1 policy tag:
image

and Assigned filter setting on LDAP group:

but TestUSR_PCloud_12 sees nothing in self_service portal:

I found similar post but it did not help me at all - How to make Service Catalog visible to a group? [SOLVED]

I am new in MIQ, so any help will be appreciated

Thank you


#2

I think you might need to change the assigned filters tags for your group to just contain one of the kb team identification tags rather than both Tribe1 & Tribe2. With both tags listed I think you’d need the service catalog item to be tagged with both tags for this to be visible.

There’s a good description of tag-related RBAC and visibility here: https://cloudformsblog.redhat.com/2016/10/13/using-tags-for-access-control/

pemcg


#3

That worked indeed! Thank you very much.

But one thing confuses me - if a group1 should have access to Tribe1 tag and group2 to Tribe2 tag - how to set group groupMaster which can access both? My origin idea was just select both tags on Assigned filters, but after your response it seems to me, that I need to create new Tag in the same category (i.e. TribeAll) and use this one, correct? So there would be Tribe1 and TribeAll on catalog item…


#4

When using tags for RBAC, I usually create two tag categories, visibility and owner. Both categories contain the same tags (usually the department or group names) but the multi-value visibility tag is used to determine who can see what - templates, service catalog items, VMs, hosts, datastores etc - and the single value owner tag is used to indicate which objects are owned by whom, which is useful for accounting, chargeback, quotas etc. Objects are generally owned by a single group, hence the single value tag category. The visibility tag can also be used for VM provisioning placement instead of the prov_scope tag if you wish.

So in your example I’d tag the service catalog item with visibility/tribe_1, visibility/tribe_2 & visibility/tribe_master so that everyone could see it. Your AP_CLD_Tribe1* groups would have an assigned filters tag of visibility/tribe_1, and any services created by a group member would be tagged with both visibility/tribe_1 and owner/tribe_1 to indicate ownership, and to allow group members to see it. You could also tag the new service with visibility/tribe_master if you want your “master” admins to see it.

Tagging items in this way also makes it easy to sanity check who should be able to see it, by just looking at the list of visibility tags.

Hope this helps,
pemcg


#5

I see. So my issue was caused by inappropriate using of single value category…

Thank you very much for your answers and tips, it helped me a lot.