Setting ownership of a Service seems to require too many product features

[jrafanie]

Discussed in https://github.com/orgs/ManageIQ/discussions/22965

^{Originally posted by uejo March 28, 2024}
Hello, I have a use case where a user wants to move his service to another group in the same tenant. The only way I managed to accomplish this seems to require unnecessary Product Features.
Steps I have taken so far:

• create a new tenant under "My Company"
• create a copy of the EvmRole-user_self_service role and add the following Features as seen in the picture below:
  I also had to set the Access Restriction to "None" in the service role, otherwise I am also not able to see other groups.
  The Set Ownership seems necessary to even have the Button available (at least in the new UI, in the self service UI the button option is always available.
  The Groups View is necessary otherwise you get API error permission denied on the /api/groups endpoint

• create 2 groups, assign both the newly created tenant and the role above.
• create a service as user1 (I added a Generic Service in the default Catalog)

Now I can select the 2nd group

But I have permissions to create and delete Tenants, of course I don't want that.

But as soon as I remove the Tenant permissions product feature, and it doesn't matter if you remove Modify or Operate, removing one of those is enough, I can not see any other groups anymore:

So how can I accomplish what I'm trying to do? I am using the self_service UI which has the Button "Set ownership" but as for now it seems I cant really use that feature.

[jrafanie]

From: https://github.com/orgs/ManageIQ/discussions/22965#discussioncomment-9051032

So, I tracked it down to this code:

manageiq/lib/rbac/filterer.rb

Line 679 in dfbf8e7

scope = scope.with_groups(user.miq_group_ids) unless role&.tenant_admin_user?

We're only showing users and groups outside your own group if you're considered a tenant admin or super admin which is also a tenant admin.

This is why it works when you give your user all permissions under Access control -> Tenants.

I'm not sure how to enable the ability to set ownership outside of your group for a user with less permission.

[miq-bot]

This issue has been automatically marked as stale because it has not been updated for at least 3 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

[miq-bot]

This issue has been automatically marked as stale because it has not been updated for at least 3 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.