Add Project Admin role

2026-01-18 21:21:21 -03:30 · 2018-01-26 00:33:07 +00:00 · 2018-01-26 00:33:07 +00:00 · e7e83afd00
commit e7e83afd00
parent 605a2c7e01
4 changed files with 12 additions and 4 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1087,8 +1087,8 @@ class ProjectAccess(BaseAccess):
    @check_superuser
    def can_add(self, data):
        if not data:  # So the browseable API will work
-            return Organization.accessible_objects(self.user, 'admin_role').exists()
-        return self.check_related('organization', Organization, data, mandatory=True)
+            return Organization.accessible_objects(self.user, 'project_admin_role').exists()
+        return self.check_related('organization', Organization, data, role_field='project_admin_role', mandatory=True)

    @check_superuser
    def can_change(self, obj, data):
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@ -43,11 +43,17 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
    admin_role = ImplicitRoleField(
        parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
    )
+    project_admin_role = ImplicitRoleField(
+        parent_role='admin_role',
+    )
+    inventory_admin_role = ImplicitRoleField(
+        parent_role='admin_role',
+    )
    auditor_role = ImplicitRoleField(
        parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
    )
    member_role = ImplicitRoleField(
-        parent_role='admin_role',
+        parent_role=['admin_role', 'project_admin_role', 'inventory_admin_role']
    )
    read_role = ImplicitRoleField(
        parent_role=['member_role', 'auditor_role'],
--- a/awx/main/models/projects.py
+++ b/awx/main/models/projects.py
@ -284,7 +284,7 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin, CustomVirtualEn
    )

    admin_role = ImplicitRoleField(parent_role=[
-        'organization.admin_role',
+        'organization.project_admin_role',
        'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
    ])

--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@ -37,6 +37,7 @@ role_names = {
    'system_auditor'       : _('System Auditor'),
    'adhoc_role'           : _('Ad Hoc'),
    'admin_role'           : _('Admin'),
+    'project_admin_role'   : _('Project Admin'),
    'auditor_role'         : _('Auditor'),
    'execute_role'         : _('Execute'),
    'member_role'          : _('Member'),
@ -50,6 +51,7 @@ role_descriptions = {
    'system_auditor'       : _('Can view all settings on the system'),
    'adhoc_role'           : _('May run ad hoc commands on an inventory'),
    'admin_role'           : _('Can manage all aspects of the %s'),
+    'project_admin_role'   : _('Can manage all projects of the %s'),
    'auditor_role'         : _('Can view all settings for the %s'),
    'execute_role'         : _('May run the %s'),
    'member_role'          : _('User is a member of the %s'),