Project role Allow rules doesn't have any effect

[rajujith]

ISSUE TYPE

• Bug Report

COMPONENT NAME

UI,API 

CLOUDSTACK VERSION

4.19.0.0

SUMMARY

Project roles by design could only further restrict the access of users based on the RBAC. However, in the UI there is an option to 'Allow' more APIs however it doesn't take effect. This needs to be reviewed to either allow more access in project roles ( there are some use cases for it) otherwise remove the option to 'Allow' which does not work.

STEPS TO REPRODUCE

1. Create an account and user with 'user role'.
2. Create a new project and create a project role.
3. In the project role add a rule that allows an API that is restricted for the user role. 
4. Add the above user to the project assigning the above project role.
5. Verify whether the user has any elevated privileges to run the Allowed API. 

https://www.shapeblue.com/cloudstack-feature-deep-dive-role-based-users-in-projects/

[andrijapanicsb]

Agree Jithin, worst case we can update the docs, to say " "allow" is there, but not really usable/doesn't work" or similar

[Pearl1594]

As far as I understand, Project roles are meant to be restrictive in nature, i.e., a user added to a project, should not be allowed to perform any operation that the user role doesn't allow it to perform. Say, you Create a user account and login as the user. Then as the user, create a project. In this context, when adding project role rules, one would only be able to list the APIs the userRole allows. I think we should document this behaviour clearly as what @andrijapanicsb mentioned, rather that allow to elevate a users permission to perform certain operations in a project..

[DaanHoogland]

I agree with @Pearl1594 , project roles cannot elevate rights of a user beyond what they are assigned in the first place. I say this is not a bug but a feature ;)