Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Super-admin role required to edit config files

Description

Being an admin user is not sufficient to enable this very privileged level of access. A new role must be assigned to each user who is allowed to edit the configs from the web.

Acceptance / Success Criteria

  • The new role is assignable via the usual "Configure users" web flow

  • The new role's name conveys the notion that it grants privileges above and beyond ROLE_ADMIN. "Super admin" and "extra admin" have been tossed around as possible names.

  • The default admin user is not a member of this new role in the shipping configs

  • Any user with the ROLE_ADMIN role assigned can escalate any user to have the new role; this includes self-escalation by the default admin user

Attachments

2
  • 16 May 2022, 09:06 PM
  • 16 May 2022, 09:06 PM

Lucidchart Diagrams

Activity

Show:

Scott Theleman May 17, 2022 at 3:31 PM

Will be renaming the role from 'ROLE_CONFIG_EDITOR' to 'ROLE_FILESYSTEM_EDITOR' to help clarify.

Scott Theleman May 17, 2022 at 2:01 PM

Note, the new role is for editing configuration files for OpenNMS itself, not editing DCB related files. At this time we do not have a feature to edit device configuration backup files. There is a separate 'ROLE_DEVICE_CONFIG' to allow access for viewing and performing actions on Device Config items.

Dennis Pan May 16, 2022 at 9:10 PM

for this new role, we probably need to add a new action in the action panel to allow users to edit the config files that would have the same UI as the view history modal, and also allows the navigation between the modals. See screenshots

Scott Theleman May 10, 2022 at 9:04 PM
Edited

A new role, ROLE_CONFIG_EDITOR, is added to allow access to view/edit configuration files via REST and the UI.

Admin users are disallowed access to view or edit, unless they also have the ROLE_CONFIG_EDITOR role.

Note that someone with the config editor role will also need a role such as ROLE_USER in order to view the UI. However someone could have ROLE_CONFIG_EDITOR only to view/edit via REST API only (e.g. via curl, etc.).

Also, "File Editor" won't display in the UI without this role and user's won't even know it exists, except via documentation.

Fixed

Details

Assignee

Reporter

Labels

Docs Needed

Yes

Story Points

Components

Sprint

Fix versions

Priority

Parent

PagerDuty

Created May 2, 2022 at 1:35 PM
Updated June 7, 2022 at 4:51 PM
Resolved May 11, 2022 at 7:55 PM