This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Read Only Org Admin role is not behaving as expected, cannot trace, anyone else using this role?

Posted on 06-30-2016 05:18 AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Trying to use the built in roles to let testers run trace sessions without limited editing ability. Although the Read Only Org Admin role states:

Trace in any environment/environments/*/applications/*/revisions/*/debugsessions

I'm not able to start any trace sessions.

3 6 363
Topic Labels
6 REPLIES 6

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

@Kurt Kanaskie ,

I can able to reproduce the issue for "Read-only Organization Administrator" . Seems like permissions issue & a bug.

As a work-around,

  • I have created a new role called "traceAccess"
  • Given Trace Access to different environments

3059-screen-shot-2016-06-30-at-60248-pm.png

  • Assigned the trace role along with "Read-only Organization Administrator" role the user.
  • Logout & Login to see the changes.
  • Now, User can read only & do the trace in an org.

I think it's a bug in the product. Good catch..

traceAccess Role Permissions :


{
  "resourcePermission": [
    {
      "organization": "xxxx",
      "path": "/environments/prod/applications/*/revisions/*/debugsessions",
      "permissions": [
        "get",
        "put"
      ]
    },
    {
      "organization": "xxxx",
      "path": "/environments/test/applications/*/revisions/*/debugsessions",
      "permissions": [
        "get",
        "put"
      ]
    }
  ]
}

readOnlyAdmin Role Permissions :


{
  "resourcePermission": [
    {
      "organization": "xxxx",
      "path": "/environments/*/applications/*/revisions/*/debugsessions",
      "permissions": [
        "get"
      ]
    },
    {
      "organization": "xxxx",
      "path": "/environments/test/applications/*/revisions/*/debugsessions",
      "permissions": [
        "get"
      ]
    }
  ]
}

As you can see , PUT access is missing in readOnlyAdmin role, Seems like need PUT method access to use trace.

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
In response to anilsr
Reply posted on --/--/---- --:-- AM

Ah, OK.

I was considering creating a custom role, but the User role works.

I'll probably create custom roles, especially considering we have different environments than just "test" and "prod".

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Creating a trace session requires access to POST against 

/environments/{environment_name}/apis/{api_name}/revisions/{revision_number}/debugsessions

As such it would not be a Read Only role - I think the docs (assuming that snip above is from docs) are the issue not the role definition itself. @Floyd Jones would you concur?

0 Likes

Posted on --/--/---- --:-- AM
jonesfloyd
Staff
In response to
Reply posted on --/--/---- --:-- AM

@David Allen, at the moment we don't include the specific role definitions in the docs. That's probably coming from the UI when you click the Read-only Organization Administrator role. So this is likely a product issue.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

BTW: the ReadOnly can retrieve trace messages from a trace session if the identity of the debugSession is shared with them.

0 Likes

Posted on --/--/---- --:-- AM
kurtkanaskie
Staff
Reply posted on --/--/---- --:-- AM

Well, read-only from the perspective of testing and debugging an issue without the ability to change a proxy or deployments. In other words can only see what's going on, like a security monitor 🙂

User role has the ability to start Trace sessions via

Trace in any environment/environments/*/applications/*/revisions/*/debugsessionsGET PUT DELETE
0 Likes