Made credentials accessible by system administrators and auditors

2026-05-14 01:08:37 -05:00 · 2016-03-15 16:51:44 -04:00
parent ce669b03ad
commit defe4a4fd8
2 changed files with 21 additions and 1 deletions
@@ -16,6 +16,10 @@ from awx.main.constants import CLOUD_PROVIDERS
 from awx.main.utils import decrypt_field
 from awx.main.models.base import * # noqa
 from awx.main.models.mixins import ResourceMixin
+from awx.main.models.rbac import (
+    ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
+    ROLE_SINGLETON_SYSTEM_AUDITOR,
+)

 __all__ = ['Credential']

@@ -158,9 +162,20 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
    owner_role = ImplicitRoleField(
        role_name='Credential Owner',
        role_description='Owner of the credential',
-        parent_role='team.admin_role',
+        parent_role=[
+            'team.admin_role',
+            'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
+        ],
        permissions = {'all': True}
    )
+    auditor_role = ImplicitRoleField(
+        role_name='Credential Auditor',
+        role_description='Auditor of the credential',
+        parent_role=[
+            'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
+        ],
+        permissions = {'read': True}
+    )
    usage_role = ImplicitRoleField(
        role_name='Credential User',
        role_description='May use this credential, but not read sensitive portions or modify it',