Merge branch 'cheshire-cat'

bryandmc · bryandmc · commit 4df875b4af94 · 2021-08-10T14:04:08.000-07:00
* MB-46113: Restrict sync gateway architect role

Change-Id: I14c77bd9bc4bafe6ff3c8cdaaac8807ce4588375
diff --git a/src/menelaus_roles.erl b/src/menelaus_roles.erl
@@ -566,7 +566,10 @@ roles() ->
        {desc, <<"Can manage Sync Gateway databases and users, "
                 "and access Sync Gateway's /metrics endpoint. "
                 "This user cannot read application data.">>}],
-      [{[{collection, ?RBAC_COLLECTION_PARAMS}, sgw], all}]},
+      [{[{collection, [any, any, any]}, sgw, appdata], none},
+       {[{collection, [any, any, any]}, sgw, principal_appdata], none},
+       {[{collection, [any, any, any]}, sgw, replications], none},
+       {[{collection, ?RBAC_COLLECTION_PARAMS}, sgw], all}]},
      {sync_gateway_app, ?RBAC_COLLECTION_PARAMS,
       [{name, <<"Sync Gateway Application">>},
        {folder, mobile},
@@ -597,7 +600,7 @@ roles() ->
        {desc, <<"Can manage Sync Gateway node-level configuration, "
                 "and access Sync Gateway's /metrics endpoint "
                 "for Prometheus integration.">>}],
-      [{[{collection, [any, any, any]}, sgw, dev_ops], all},
+      [{[sgw, dev_ops], all},
        {[admin, stats_export], [read]}]},
      {external_stats_reader, [],
       [{name, <<"External Stats Reader">>},
