diff --git a/awx/main/access.py b/awx/main/access.py index 400af5e267..956a1e7802 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -641,9 +641,9 @@ class InventoryAccess(BaseAccess): def can_add(self, data): # If no data is specified, just checking for generic add permission? if not data: - return Organization.accessible_objects(self.user, 'admin_role').exists() + return Organization.accessible_objects(self.user, 'inventory_admin_role').exists() - return self.check_related('organization', Organization, data) + return self.check_related('organization', Organization, data, role_field='inventory_admin_role') @check_superuser def can_change(self, obj, data): diff --git a/awx/main/models/inventory.py b/awx/main/models/inventory.py index 9878aab1d9..d6c8a4dbdf 100644 --- a/awx/main/models/inventory.py +++ b/awx/main/models/inventory.py @@ -132,7 +132,7 @@ class Inventory(CommonModelNameNotUnique, ResourceMixin): blank=True, ) admin_role = ImplicitRoleField( - parent_role='organization.admin_role', + parent_role='organization.inventory_admin_role', ) update_role = ImplicitRoleField( parent_role='admin_role', diff --git a/awx/main/models/rbac.py b/awx/main/models/rbac.py index 62e9348baf..2ba1bef300 100644 --- a/awx/main/models/rbac.py +++ b/awx/main/models/rbac.py @@ -38,6 +38,7 @@ role_names = { 'adhoc_role' : _('Ad Hoc'), 'admin_role' : _('Admin'), 'project_admin_role' : _('Project Admin'), + 'inventory_admin_role' : _('Inventory Admin'), 'auditor_role' : _('Auditor'), 'execute_role' : _('Execute'), 'member_role' : _('Member'), @@ -52,6 +53,7 @@ role_descriptions = { 'adhoc_role' : _('May run ad hoc commands on an inventory'), 'admin_role' : _('Can manage all aspects of the %s'), 'project_admin_role' : _('Can manage all projects of the %s'), + 'inventory_admin_role' : _('Can manage all inventories of the %s'), 'auditor_role' : _('Can view all settings for the %s'), 'execute_role' : _('May run the %s'), 'member_role' : _('User is a member of the %s'),