From e7e83afd00cef9c8655aa571923b4411c83f0e42 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Fri, 26 Jan 2018 00:33:07 +0000
Subject: [PATCH] Add Project Admin role

---
 awx/main/access.py              | 4 ++--
 awx/main/models/organization.py | 8 +++++++-
 awx/main/models/projects.py     | 2 +-
 awx/main/models/rbac.py         | 2 ++
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 5ce76a52f8..400af5e267 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1087,8 +1087,8 @@ class ProjectAccess(BaseAccess):
     @check_superuser
     def can_add(self, data):
         if not data:  # So the browseable API will work
-            return Organization.accessible_objects(self.user, 'admin_role').exists()
-        return self.check_related('organization', Organization, data, mandatory=True)
+            return Organization.accessible_objects(self.user, 'project_admin_role').exists()
+        return self.check_related('organization', Organization, data, role_field='project_admin_role', mandatory=True)
 
     @check_superuser
     def can_change(self, obj, data):
diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py
index cd0ccfc785..c82d911ecb 100644
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@@ -43,11 +43,17 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
     admin_role = ImplicitRoleField(
         parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
     )
+    project_admin_role = ImplicitRoleField(
+        parent_role='admin_role',
+    )
+    inventory_admin_role = ImplicitRoleField(
+        parent_role='admin_role',
+    )
     auditor_role = ImplicitRoleField(
         parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
     )
     member_role = ImplicitRoleField(
-        parent_role='admin_role',
+        parent_role=['admin_role', 'project_admin_role', 'inventory_admin_role']
     )
     read_role = ImplicitRoleField(
         parent_role=['member_role', 'auditor_role'],
diff --git a/awx/main/models/projects.py b/awx/main/models/projects.py
index ef3f809a74..77d77bf13e 100644
--- a/awx/main/models/projects.py
+++ b/awx/main/models/projects.py
@@ -284,7 +284,7 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin, CustomVirtualEn
     )
 
     admin_role = ImplicitRoleField(parent_role=[
-        'organization.admin_role',
+        'organization.project_admin_role',
         'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
     ])
 
diff --git a/awx/main/models/rbac.py b/awx/main/models/rbac.py
index b7f70aafec..62e9348baf 100644
--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@@ -37,6 +37,7 @@ role_names = {
     'system_auditor'       : _('System Auditor'),
     'adhoc_role'           : _('Ad Hoc'),
     'admin_role'           : _('Admin'),
+    'project_admin_role'   : _('Project Admin'),
     'auditor_role'         : _('Auditor'),
     'execute_role'         : _('Execute'),
     'member_role'          : _('Member'),
@@ -50,6 +51,7 @@ role_descriptions = {
     'system_auditor'       : _('Can view all settings on the system'),
     'adhoc_role'           : _('May run ad hoc commands on an inventory'),
     'admin_role'           : _('Can manage all aspects of the %s'),
+    'project_admin_role'   : _('Can manage all projects of the %s'),
     'auditor_role'         : _('Can view all settings for the %s'),
     'execute_role'         : _('May run the %s'),
     'member_role'          : _('User is a member of the %s'),