Here is an excerpt from rundeck.audit.log, showing the problem :
[2024-06-10T09:57:41,143] INFO authorization.LoggingAuthorization -
Evaluating Decision for: res<name:INFRA-RSO, type:project>
subject<Username:polfoad Group:user Group:polfoad-admins> action<read>
env<rundeck:auth:env:application:rundeck>: authorized: true: GRANTED,
reason: GRANTED, evaluations:
ACLRule</etc/rundeck/touslesgroupes-special-policy.aclpolicy[1][type:project][rule:
1]>{'Allow groups to execute a8928ddf-bd40-441d-8d22-9eaed77186d1 for
INFRA-RSO' context={application='rundeck'} type='project' match ,
resource={name=INFRA-RSO} for: { group='.*'} allow=[read]} GRANTED for
action read => GRANTED (0ms)
[2024-06-10T09:57:48,169] WARN authorization.LoggingAuthorization -
Evaluating Decision for: res<name:INFRA-RSO, type:storage,
path:keys/INFRA-RSO> subject<Username:polfoad Group:user
Group:polfoad-admins> action<read>
env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED,
reason: REJECTED, evaluations:
ACLRule</etc/rundeck/polfoad.aclpolicy[3][type:storage][rule:
1]>{'polfoad application scope permissions'
context={application='rundeck'} type='storage' equals ,
resource={name=keys, path=keys} for: { group='polfoad'} allow=[read]}
REJECTED for action read => REJECTED (0ms)