diff --git a/awx/main/migrations/0006_v300_rbac_changes.py b/awx/main/migrations/0006_v300_rbac_changes.py index 968135feba..c6a9ad6da4 100644 --- a/awx/main/migrations/0006_v300_rbac_changes.py +++ b/awx/main/migrations/0006_v300_rbac_changes.py @@ -86,6 +86,11 @@ class Migration(migrations.Migration): name='owner_role', field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'), ), + migrations.AddField( + model_name='credential', + name='auditor_role', + field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'), + ), migrations.AddField( model_name='credential', name='usage_role', diff --git a/awx/main/models/credential.py b/awx/main/models/credential.py index ec47cb1fbb..9ae6b47298 100644 --- a/awx/main/models/credential.py +++ b/awx/main/models/credential.py @@ -16,6 +16,10 @@ from awx.main.constants import CLOUD_PROVIDERS from awx.main.utils import decrypt_field from awx.main.models.base import * # noqa from awx.main.models.mixins import ResourceMixin +from awx.main.models.rbac import ( + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, + ROLE_SINGLETON_SYSTEM_AUDITOR, +) __all__ = ['Credential'] @@ -158,9 +162,20 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin): owner_role = ImplicitRoleField( role_name='Credential Owner', role_description='Owner of the credential', - parent_role='team.admin_role', + parent_role=[ + 'team.admin_role', + 'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, + ], permissions = {'all': True} ) + auditor_role = ImplicitRoleField( + role_name='Credential Auditor', + role_description='Auditor of the credential', + parent_role=[ + 'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, + ], + permissions = {'read': True} + ) usage_role = ImplicitRoleField( role_name='Credential User', role_description='May use this credential, but not read sensitive portions or modify it',