Hello,
I have an issue about roles. I create a role with “don’t restart, don’t create action” permissions. I assign this role to a user. When user logs in it could create actions, restart servers…etc. I noticed that user has permissions to restart and create action. It seems user level permissions overwrites role level so role level isn’t functional. Changing permissions of multi users doesn’t make sense.
Can anyone assist this?
Regards.
Hi @mkemalm
I’ve looked into a similar problem (together with strawgate):
So basically, the YES always wins over the no (user or role defined). So I guess you have a “YES” somewhere.
Hi!
roles are used to “add(grant)” permissions, so if you have multiple roles you will have the sum of the granted permissions of all assigned roles.
Said that, if you have an user with some “personally” granted permissions, you will not remove them by assigning a role that does not contain those grants.
So if you have to narrow security restrictions or use fine grained permissions’ grants, you have to define NMO operators with no permissions, and then define and assign roles as required by your security schema.
I hope this helps
Andrea