API Proxy Roles UI Permissions Restriction

daniel_biales · 09-14-2016 11:17 AM

For proxies there is a section in the UI that allows the user to edit the roles that can edit the proxy. We have a very specific set of custom roles so we don't want the general users to change their permissions is there a way to prevent the user from clicking on that button, or if that is impossible, is it possible to prevent them from making any changes once they clicked that button.screen-shot-2016-09-14-at-20810-pm.png

I've tried adding the following permissions:

[{"path" : "/userroles/*/permissions",
"permissions" : [ "get" ]},
{"path" : "/userroles",
"permissions" : [ "get" ]},
{"path": "/applications/*/roles",
"permissions": []}]

hanselm

Editing permissions of a role can only be done by an Org administrator role, so if you mean general users with developer roles they wont be able to access the Admin section in the UI. If however, you are referring to other Org admins, then there is a Read-only org admin role which you should be able to assign to admin users that only allows read-only access to resources in the organization.

daniel_biales

We have several custom roles and they can edit which roles apply to a proxy and what permissions the roles have for that proxy. I included a screenshot of what UI element I am talking about, for clarity

Report Inappropriate Content

Here's an illustrated version of our issue:

A developer has edit permission on a proxy - developer-edit-proxy-permissions-1.png

If they click on the "Roles" button then they can view the roles who have permissions for the proxy - developer-edit-proxy-permissions-2.png

If the developer clicks the "Edit" button, then they are able to edit the permissions for anyone who has a role, including adding Edit and Delete permissions to any role. - developer-edit-proxy-permissions-3.png

We are looking to disable this flow because we are managing users, roles, and permissions via automation and do not want manual involvement from users for anything role/permission related.

asribalaji

David when you say, - If the developer clicks the "Edit" button, then they are able to edit the permissions for anyone who has a role, including adding Edit and Delete permissions to any role.

Can you please check and confirm the user (DAVID.BURKE@...) you are trying to edit & save the permissions in not a orgadmin on that org (internal). If you are not a orgadmin, edit & saving won't be allowed with an error saying "Insufficient Permissions"

daniel_biales

Yes we have tested this as a non orgadmin user and they are able to make the changes. The users have custom roles, is there some permission that is necessary to get that "insufficient Permissions" message?

Report Inappropriate Content

Saving permissions (adding) is allowed for users with the set of permissions that we have defined as proxy developer. Would you like a copy of our permission set?

Amusingly, you cannot remove existing permissions because of a bug if you add the permissions from that UI in a specific way. You get this error: Permission should be either get,put or delete.