Trying to use the built in roles to let testers run trace sessions without limited editing ability. Although the Read Only Org Admin role states:
Trace in any environment | /environments/*/applications/*/revisions/*/debugsessions |
I'm not able to start any trace sessions.
I can able to reproduce the issue for "Read-only Organization Administrator" . Seems like permissions issue & a bug.
As a work-around,
I think it's a bug in the product. Good catch..
traceAccess Role Permissions :
{ "resourcePermission": [ { "organization": "xxxx", "path": "/environments/prod/applications/*/revisions/*/debugsessions", "permissions": [ "get", "put" ] }, { "organization": "xxxx", "path": "/environments/test/applications/*/revisions/*/debugsessions", "permissions": [ "get", "put" ] } ] }
readOnlyAdmin Role Permissions :
{ "resourcePermission": [ { "organization": "xxxx", "path": "/environments/*/applications/*/revisions/*/debugsessions", "permissions": [ "get" ] }, { "organization": "xxxx", "path": "/environments/test/applications/*/revisions/*/debugsessions", "permissions": [ "get" ] } ] }
As you can see , PUT access is missing in readOnlyAdmin role, Seems like need PUT method access to use trace.
Ah, OK.
I was considering creating a custom role, but the User role works.
I'll probably create custom roles, especially considering we have different environments than just "test" and "prod".
Creating a trace session requires access to POST against
/environments/{environment_name}/apis/{api_name}/revisions/{revision_number}/debugsessions |
As such it would not be a Read Only role - I think the docs (assuming that snip above is from docs) are the issue not the role definition itself. @Floyd Jones would you concur?
@David Allen, at the moment we don't include the specific role definitions in the docs. That's probably coming from the UI when you click the Read-only Organization Administrator role. So this is likely a product issue.
BTW: the ReadOnly can retrieve trace messages from a trace session if the identity of the debugSession is shared with them.
Well, read-only from the perspective of testing and debugging an issue without the ability to change a proxy or deployments. In other words can only see what's going on, like a security monitor 🙂
User role has the ability to start Trace sessions via
Trace in any environment | /environments/*/applications/*/revisions/*/debugsessions | GET PUT DELETE |
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |