I am trying to create a ACL that will allow the user to view and edit the jobs but not delete them, not manage scm, for all jobs within all projects.
Trying to tail the log but there is just too much information printed there for this one attempt to edit the job, can someone share with me what permission is missing?
I see 3 sets of evaluations trigger and trying to find which one is the problem. attached is my ACL file.
Project_ACL:
[2021-11-10T15:58:10,917] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<type:project_acl, name:O365_Extended_Toolkit> subject<Username:test_user Group:poweruser> action<read> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action read => REJECTED (0ms)
[2021-11-10T15:58:10,917] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<type:project_acl, name:O365_Extended_Toolkit> subject<Username:test_user Group:poweruser> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action admin => REJECTED (0ms)
[2021-11-10T15:58:10,918] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<type:project_acl, name:O365_Extended_Toolkit> subject<Username:test_user Group:poweruser> action<read> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action read => REJECTED (0ms)
[2021-11-10T15:58:10,918] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<type:project_acl, name:O365_Extended_Toolkit> subject<Username:test_user Group:poweruser> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action admin => REJECTED (0ms)
Resource:
[2021-11-10T15:58:10,925] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<type:resource, kind:plugin> subject<Username:test_user Group:poweruser> action<read> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action read => REJECTED (0ms)
[2021-11-10T15:58:10,925] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<type:resource, kind:plugin> subject<Username:test_user Group:poweruser> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action admin => REJECTED (0ms)
[2021-11-10T15:58:10,925] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<type:resource, kind:plugin> subject<Username:test_user Group:poweruser> action<install> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action install => REJECTED (0ms)
[2021-11-10T15:58:10,925] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<type:resource, kind:plugin> subject<Username:test_user Group:poweruser> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action admin => REJECTED (0ms)
System:
[2021-11-10T15:58:10,925] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<kind:system, type:resource> subject<Username:test_user Group:poweruser> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action admin => REJECTED (0ms)
[2021-11-10T15:58:10,925] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<kind:system, type:resource> subject<Username:test_user Group:poweruser> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action admin => REJECTED (0ms)
[2021-11-10T15:58:10,925] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<kind:system, type:resource> subject<Username:test_user Group:poweruser> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action admin => REJECTED (0ms)
[2021-11-10T15:58:10,926] WARN authorization.LoggingAuthorization - Evaluating Decision for: res<kind:system, type:resource> subject<Username:test_user Group:poweruser> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: REJECTED, reason: REJECTED, evaluations: ACLRule</etc/rundeck/poweruser.aclpolicy[1][type:resource][rule: 1]>{'User Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.' context={application='rundeck'} type='resource' equals , resource={kind=system} for: { group='poweruser'} allow=[read, enable_executions, disable_executions]} REJECTED for action admin => REJECTED (0ms)