From c7234f42c7a7f27bbc2c75ef3f4b8d09289ac020 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Mon, 21 Mar 2016 22:28:05 -0400
Subject: [PATCH] Give SU's access to all projects to protect against
 unreachable orphans

---
 awx/main/models/projects.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/awx/main/models/projects.py b/awx/main/models/projects.py
index 4919c3e06a..d20612a211 100644
--- a/awx/main/models/projects.py
+++ b/awx/main/models/projects.py
@@ -26,6 +26,11 @@ from awx.main.models.mixins import ResourceMixin
 from awx.main.utils import update_scm_url
 from awx.main.fields import ImplicitRoleField
 from awx.main.conf import tower_settings
+from awx.main.models.rbac import (
+    ALL_PERMISSIONS,
+    ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
+    ROLE_SINGLETON_SYSTEM_AUDITOR,
+)
 
 __all__ = ['Project', 'ProjectUpdate']
 
@@ -222,13 +227,17 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
         parent_role=[
             'organization.admin_role',
             'teams.member_role',
+            'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
         ],
         permissions = {'all': True}
     )
     auditor_role = ImplicitRoleField(
         role_name='Project Auditor',
         role_description='May read all settings associated with this project',
-        parent_role='organization.auditor_role',
+        parent_role=[
+            'organization.auditor_role',
+            'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
+        ],
         permissions = {'read': True}
     )
     member_role = ImplicitRoleField(