From 142305e27b76b074ce75a26ba22559f013c8fa82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 4 Nov 2025 11:21:07 +0100 Subject: [PATCH 1/7] Update organization and location permissions --- .../con_planning-organization-and-location-context.adoc | 2 ++ .../proc_assigning-a-host-to-a-specific-location.adoc | 6 ++++++ .../proc_assigning-a-host-to-a-specific-organization.adoc | 6 ++++++ guides/common/modules/proc_enabling-capsule-in-UI.adoc | 6 ++++++ .../ref_permissions-required-to-provision-hosts.adoc | 8 ++++++-- 5 files changed, 26 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/con_planning-organization-and-location-context.adoc b/guides/common/modules/con_planning-organization-and-location-context.adoc index cc66050e5da..52f3137644c 100644 --- a/guides/common/modules/con_planning-organization-and-location-context.adoc +++ b/guides/common/modules/con_planning-organization-and-location-context.adoc @@ -41,6 +41,8 @@ While you cannot assign a subnet, domain, or compute resources directly to a {Sm + Unlike organizations, locations can have a hierarchical structure. Resources and users can generally only access resources within their own context, which makes configuring organizations and locations an integral part of access management in {Project}. ++ +When assigning organizations or locations to resources, users with the `assign_organizations` or `assign_locations` permissions can only assign organizations or locations that they belong to. {ProjectServer} defines all locations and organizations. Each {SmartProxyServer} diff --git a/guides/common/modules/proc_assigning-a-host-to-a-specific-location.adoc b/guides/common/modules/proc_assigning-a-host-to-a-specific-location.adoc index bae42dd2dc2..fcd1a62aa94 100644 --- a/guides/common/modules/proc_assigning-a-host-to-a-specific-location.adoc +++ b/guides/common/modules/proc_assigning-a-host-to-a-specific-location.adoc @@ -6,6 +6,12 @@ [role="_abstract"] Use this procedure to assign a host to a specific location. +[IMPORTANT] +==== +You can only assign locations to resources if you belong to those locations and have the `assign_locations` permission. +If you try to assign a location that you do not belong to, {Project} displays an error message: "Invalid locations selection, you must select at least one of yours and have 'assign_locations' permission." +==== + .Procedure . In the {ProjectWebUI}, navigate to *Hosts* > *All Hosts*. . Select the checkbox of the host you want to change. diff --git a/guides/common/modules/proc_assigning-a-host-to-a-specific-organization.adoc b/guides/common/modules/proc_assigning-a-host-to-a-specific-organization.adoc index 6e8da224b51..c35347c0289 100644 --- a/guides/common/modules/proc_assigning-a-host-to-a-specific-organization.adoc +++ b/guides/common/modules/proc_assigning-a-host-to-a-specific-organization.adoc @@ -13,6 +13,12 @@ To unregister the host, run `subscription-manager unregister` on the host. After you assign the host to a new organization, you can re-register the host. ==== +[IMPORTANT] +==== +You can only assign organizations to resources if you belong to those organizations and have the `assign_organizations` permission. +If you try to assign an organization that you do not belong to, {Project} displays an error message: "Invalid organizations selection, you must select at least one of yours and have 'assign_organizations' permission." +==== + .Procedure . In the {ProjectWebUI}, navigate to *Hosts* > *All Hosts*. . Select the checkbox of the host you want to change. diff --git a/guides/common/modules/proc_enabling-capsule-in-UI.adoc b/guides/common/modules/proc_enabling-capsule-in-UI.adoc index 6caa3947b9a..48d679e4d1d 100644 --- a/guides/common/modules/proc_enabling-capsule-in-UI.adoc +++ b/guides/common/modules/proc_enabling-capsule-in-UI.adoc @@ -13,6 +13,12 @@ To enable the inventory upload, synchronize SSH keys for both {SmartProxies}. ==== endif::[] +[IMPORTANT] +==== +You can only assign organizations and locations to resources if you belong to those organizations and locations and have the `assign_organizations` and `assign_locations` permissions. +If you try to assign an organization or location that you do not belong to, {Project} displays an error message indicating that you must select at least one organization or location that you belong to. +==== + .Procedure . Log into the {ProjectWebUI}. diff --git a/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc b/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc index 106defc8c04..b823566ae69 100644 --- a/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc +++ b/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc @@ -67,9 +67,11 @@ ifdef::katello,orcharhino,satellite[] | endif::[] -|Location +.2+|Location |view_locations | +|assign_locations +|Required if you need to assign locations to hosts or other resources. You can only assign locations that you belong to. |Medium |view_media @@ -79,9 +81,11 @@ endif::[] |view_operatingsystems | -|Organization +.2+|Organization |view_organizations | +|assign_organizations +|Required if you need to assign organizations to hosts or other resources. You can only assign organizations that you belong to. |Parameter |view_params, create_params, edit_params, destroy_params From 78263d978fc740afb21ea19f2d73ffdc782760b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 4 Nov 2025 11:50:04 +0100 Subject: [PATCH 2/7] Drop addition in a planning module that is not needed --- .../modules/con_planning-organization-and-location-context.adoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/guides/common/modules/con_planning-organization-and-location-context.adoc b/guides/common/modules/con_planning-organization-and-location-context.adoc index 52f3137644c..cc66050e5da 100644 --- a/guides/common/modules/con_planning-organization-and-location-context.adoc +++ b/guides/common/modules/con_planning-organization-and-location-context.adoc @@ -41,8 +41,6 @@ While you cannot assign a subnet, domain, or compute resources directly to a {Sm + Unlike organizations, locations can have a hierarchical structure. Resources and users can generally only access resources within their own context, which makes configuring organizations and locations an integral part of access management in {Project}. -+ -When assigning organizations or locations to resources, users with the `assign_organizations` or `assign_locations` permissions can only assign organizations or locations that they belong to. {ProjectServer} defines all locations and organizations. Each {SmartProxyServer} From 2080c20169500ae85a9ef13a9c0f1ec2d586586a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 4 Nov 2025 11:52:13 +0100 Subject: [PATCH 3/7] Turn IMPORTANT into prerequisites --- .../proc_assigning-a-host-to-a-specific-location.adoc | 8 +++----- .../proc_assigning-a-host-to-a-specific-organization.adoc | 8 +++----- guides/common/modules/proc_enabling-capsule-in-UI.adoc | 8 +++----- 3 files changed, 9 insertions(+), 15 deletions(-) diff --git a/guides/common/modules/proc_assigning-a-host-to-a-specific-location.adoc b/guides/common/modules/proc_assigning-a-host-to-a-specific-location.adoc index fcd1a62aa94..85594aaad64 100644 --- a/guides/common/modules/proc_assigning-a-host-to-a-specific-location.adoc +++ b/guides/common/modules/proc_assigning-a-host-to-a-specific-location.adoc @@ -6,11 +6,9 @@ [role="_abstract"] Use this procedure to assign a host to a specific location. -[IMPORTANT] -==== -You can only assign locations to resources if you belong to those locations and have the `assign_locations` permission. -If you try to assign a location that you do not belong to, {Project} displays an error message: "Invalid locations selection, you must select at least one of yours and have 'assign_locations' permission." -==== +.Prerequisites +* Your user account has the `assign_locations` permission. +* You belong to the location that you want to assign to the host. .Procedure . In the {ProjectWebUI}, navigate to *Hosts* > *All Hosts*. diff --git a/guides/common/modules/proc_assigning-a-host-to-a-specific-organization.adoc b/guides/common/modules/proc_assigning-a-host-to-a-specific-organization.adoc index c35347c0289..97591811a9a 100644 --- a/guides/common/modules/proc_assigning-a-host-to-a-specific-organization.adoc +++ b/guides/common/modules/proc_assigning-a-host-to-a-specific-organization.adoc @@ -13,11 +13,9 @@ To unregister the host, run `subscription-manager unregister` on the host. After you assign the host to a new organization, you can re-register the host. ==== -[IMPORTANT] -==== -You can only assign organizations to resources if you belong to those organizations and have the `assign_organizations` permission. -If you try to assign an organization that you do not belong to, {Project} displays an error message: "Invalid organizations selection, you must select at least one of yours and have 'assign_organizations' permission." -==== +.Prerequisites +* Your user account has the `assign_organizations` permission. +* You belong to the organization that you want to assign to the host. .Procedure . In the {ProjectWebUI}, navigate to *Hosts* > *All Hosts*. diff --git a/guides/common/modules/proc_enabling-capsule-in-UI.adoc b/guides/common/modules/proc_enabling-capsule-in-UI.adoc index 48d679e4d1d..0b6c41bca8f 100644 --- a/guides/common/modules/proc_enabling-capsule-in-UI.adoc +++ b/guides/common/modules/proc_enabling-capsule-in-UI.adoc @@ -13,11 +13,9 @@ To enable the inventory upload, synchronize SSH keys for both {SmartProxies}. ==== endif::[] -[IMPORTANT] -==== -You can only assign organizations and locations to resources if you belong to those organizations and locations and have the `assign_organizations` and `assign_locations` permissions. -If you try to assign an organization or location that you do not belong to, {Project} displays an error message indicating that you must select at least one organization or location that you belong to. -==== +.Prerequisites +* Your user account has the `assign_organizations` and `assign_locations` permissions. +* You belong to the organization and location that you want to assign to the {SmartProxy}. .Procedure From 9b15ae6526667fa1412fb1a9760e745b9020c60e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 4 Nov 2025 11:54:28 +0100 Subject: [PATCH 4/7] Apply one sentence per line --- .../ref_permissions-required-to-provision-hosts.adoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc b/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc index b823566ae69..0759fd39bd7 100644 --- a/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc +++ b/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc @@ -71,7 +71,8 @@ endif::[] |view_locations | |assign_locations -|Required if you need to assign locations to hosts or other resources. You can only assign locations that you belong to. +|Required if you need to assign locations to hosts or other resources. +You can only assign locations that you belong to. |Medium |view_media @@ -85,7 +86,8 @@ endif::[] |view_organizations | |assign_organizations -|Required if you need to assign organizations to hosts or other resources. You can only assign organizations that you belong to. +|Required if you need to assign organizations to hosts or other resources. +You can only assign organizations that you belong to. |Parameter |view_params, create_params, edit_params, destroy_params From 40ffefc0251dbacc061690300e7f6bf698c91033 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 4 Nov 2025 12:02:38 +0100 Subject: [PATCH 5/7] Shorten perm descriptions --- .../modules/ref_permissions-required-to-provision-hosts.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc b/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc index 0759fd39bd7..f545bfbc8d2 100644 --- a/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc +++ b/guides/common/modules/ref_permissions-required-to-provision-hosts.adoc @@ -71,7 +71,7 @@ endif::[] |view_locations | |assign_locations -|Required if you need to assign locations to hosts or other resources. +|Required to assign locations to hosts or other resources. You can only assign locations that you belong to. |Medium @@ -86,7 +86,7 @@ You can only assign locations that you belong to. |view_organizations | |assign_organizations -|Required if you need to assign organizations to hosts or other resources. +|Required to assign organizations to hosts or other resources. You can only assign organizations that you belong to. |Parameter From b00208a3fe19f04d84065adb22e4cea995c8ed44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 4 Nov 2025 14:35:36 +0100 Subject: [PATCH 6/7] Explain org/loc assignment for user accounts --- guides/common/modules/proc_creating-a-user.adoc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/guides/common/modules/proc_creating-a-user.adoc b/guides/common/modules/proc_creating-a-user.adoc index 2b8a4487157..767f02968fc 100644 --- a/guides/common/modules/proc_creating-a-user.adoc +++ b/guides/common/modules/proc_creating-a-user.adoc @@ -19,12 +19,15 @@ The user account details that you can specify include the following: ** *INTERNAL*: to manage the user inside {ProjectServer}. ** *EXTERNAL*: to manage the user with external authentication. For more information, see {ConfiguringUserAuthenticationDocURL}[_{ConfiguringUserAuthenticationDocTitle}_]. -* On the *Organizations* tab, select an organization for the user. +* On the *Organizations* tab, select organizations for the user. Specify the default organization {Project} selects for the user after login from the *Default on login* list. +* On the *Locations* tab, select locations for the user. +Specify the default location {Project} selects for the user after login from the *Default on login* list. + [IMPORTANT] ==== -If a user is not assigned to an organization, their access is limited. +Users are strictly confined to their assigned organizations and locations. +Users can only access and assign resources within the organizations and locations they belong to. ==== [id="cli-creating-a-user_{context}"] @@ -38,12 +41,13 @@ $ hammer user create \ --login _My_User_Name_ \ --mail _My_User_Mail_ \ --organization-ids _My_Organization_ID_1_,_My_Organization_ID_2_ \ +--location-ids _My_Location_ID_1_,_My_Location_ID_2_ \ --password _My_User_Password_ ---- + The `--auth-source-id 1` setting means that the user is authenticated internally, you can specify an external authentication source as an alternative. Add the `--admin` option to grant administrator privileges to the user. -Specifying organization IDs is not required. +Specifying organization IDs and location IDs is not required. + You can modify the user details later by using the `hammer user update` command. From a452f33f2c1a44ce430e68bd5465cea884612227 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 4 Nov 2025 19:26:32 +0100 Subject: [PATCH 7/7] Move general information to procedure intro --- guides/common/modules/proc_creating-a-user.adoc | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/guides/common/modules/proc_creating-a-user.adoc b/guides/common/modules/proc_creating-a-user.adoc index 767f02968fc..0c93cdd5a66 100644 --- a/guides/common/modules/proc_creating-a-user.adoc +++ b/guides/common/modules/proc_creating-a-user.adoc @@ -7,6 +7,9 @@ Use this procedure to create a user. ifndef::rest-api[] To use the CLI instead of the {ProjectWebUI}, see the xref:cli-creating-a-user_{context}[]. +Users are strictly confined to their assigned organizations and locations. +Users can only access and assign resources within the organizations and locations they belong to. + .Procedure . In the {ProjectWebUI}, navigate to *Administer* > *Users*. . Click *Create User*. @@ -23,12 +26,6 @@ For more information, see {ConfiguringUserAuthenticationDocURL}[_{ConfiguringUse Specify the default organization {Project} selects for the user after login from the *Default on login* list. * On the *Locations* tab, select locations for the user. Specify the default location {Project} selects for the user after login from the *Default on login* list. -+ -[IMPORTANT] -==== -Users are strictly confined to their assigned organizations and locations. -Users can only access and assign resources within the organizations and locations they belong to. -==== [id="cli-creating-a-user_{context}"] .CLI procedure