RBAC on Service Catalog Items

Hi all,

I have a use case where I need to limit certain catalog items to specific teams within the same tenant. For example, only network team can access Catalog Items related to network. From the other side, I do not want to limit the team’s access to tenant resources such as virtual machines, hosts and actions on the resources can be controlled by roles and assigned to specific groups.

I know that we have tags to control access to catalog items, but in this case I will need to tag all the objects and not only catalog items. There is no mechanism to limit the tagging scope only to a Service Catalog.

Is there any other aproach to achieve the goal?

@lpichler Can you help @tonic here?

Hi @tonic,

it depends what is meant by “teams”.
When team is represented by tenant(subtenant or project) then it you can use
“additional tenants” feature. You can find more about it here https://www.manageiq.org/docs/guides/architecture/rbac in section Additional Tenancy Sharing (applies to Catalog Items, only)

Basically It allows you to put catalog item to selected tenants in tree, across whole tree tenant in system (when it is done user with access to whole tree tenant like admin,…)

You can find it in UI:
Additional tenants in UI

When teams are “groups” , you can use feature Set Ownership and assign catalog items to
the selected groups. But is not across whole system, it will respect current user’s tenant scoping.

Let me know if this helped.

Hi @lpichler,

Thanks for detailed reply. In my case, by a “team” i mean a group within one tenant. All groups should “see” Infrastructure Resrouces (vms, hosts, clusters). But some catalog items should only be seen by specific groups.

I have tried to use Set Ownership feature, but it has no effect on visibility. User within specific group can still see all catalog items he does not owe. I guess this is be by design as catalog item and user belong to the same tenant?

As for Additional Tenancy Sharing feature, it incurs management of groups as tenants: creation of tenant per each group, assignment of people and catalog items to each tenant. In this case, people will not have a full view on infrastructure resources. Maybe it’s a bit out of topic, but i have tried to put a user into separate tenant (via group) and he still was able to see all catalog items. Maybe it’s my misconfiguration. I will try to check once more the config.