1 of 1 people found this helpful
You're right, there is no view-all/read-only role built into RHQ. There is an all-resources role but that is for full ability to do anything other than admin tasks. At this point in time you have no choice, as far as I know, to create one, all encompassing group. Perhaps do this with a recalculating dynagroup that selects all platforms and is recursive.
A built-in, view-all-resources, role may be a good RFE. Although I'm not sure about the likelihood of it being done, only because it may have too many touch points. It would take some investigation to see whether there was a quick way to add that feature, I don't think so off the top of my head.
Thanks for the reply Jay.
In the end I did the dynagroup workaround by defining groups for all Linux and all AS7. I couldn't figure out how to create a group containing "all" resources. Any pointers? Also, are Dynagroups considered resources so they would be included in "all"?
One problem with the Dynagroup method is that it does not include groups, and we use groups a lot to logically organize servers into services and environments. So a user with "All Platforms" would not see these organized groups.
Originally I figured that logically Read on Resources would mean "All resources" but I see now it needs to be done differently. I think a good option would be to have a Global -> View Resources permission for a role. Selecting this would allow the members to view all resources and groups.
Stian, that's a a good point and a definite weakness in the dynagroup approach. The user still only has access to groups assigned to his role. There is no such thing as a "public" group, or something like that, and therefore unless you assign groups manually they won't be seen, including dynagroups. So, in the end, it's still not a great workaround, it gives you only view to the resources, but none of the organizational help the groups would offer. Of course group assignment is totally fundamental to the role-based-access-control of RHQ, so what you are looking for would have to be a special case. Really what you are looking for is a new global permission, like ManageInventory but without the write permissions, truly a ViewInventory permission.
Stian, how about running a CLI script from cron to setup you user/role requirements? It's not ideal of course, as you'll have to wait for the next execution schedule in case your inventory changes.