Limiting roles in tenants

Hi all, within the development (jmix v2.1) of an application you must define a role that will be assigned to the tenants, everything works perfect, but those users can continue to create other roles for the users of that respective tenant. What happens? When creating other roles, they can see roles that were not assigned to them, shouldn’t they only see the associated roles along with the active options?

If not, how do you limit this behavior, since he cannot give out permissions that he does not have?

Attentive to your comments,

Nelson F.

Any feedback or suggestions?

Hello Nelson,

Limiting access to roles by ones assigned to current user is not a typical task for Jmix Security. Usually users that have access to administration screens and can create roles are not needed to be restricted. Maybe it make sense to not allow such users to edit roles if they should not see other roles except assigned to them?

If you want to make user edit and see only specific roles, I can suggest several options:

1. Create RowLevelRole for ResourceRoleEntity to filter out inappropriate roles. This approach will work if only resource roles access need to be controlled.
2. Extend RowLevelRoleModelDetailView, RowLevelRoleModelListView and other views from io.jmi.securityflowui.view.resourcepoilcy,io.jmi.securityflowui.view.resourcerole, io.jmi.securityflowui.view.roleassignment,io.jmi.securityflowui.view.rowlevelpolicy, io.jmi.securityflowui.view.rowlevelrole packages where you want to restrict access to not assigned roles.

Could you, please, describe your case on some example, if I misunderstood you and the problem is in something else?

Also I’ve checked that roles created by user with one tenant is not seen by user with another tenant. If it is not so in your case, could you, please, provide a simple reproducible example to see this bug?

Regards,
Dmitry