How role resource permission combinations operate & possible explanation for why your Morpheus user may be missing access to resources


This post covers why you may be unable to see resources (such as blueprints, groups…) in Morpheus, even though you believe the RBAC configuration on the user role(s) to be correct.

In 5.5.2 and above, Role Resource (Groups, Instance Types, Blueprints…) permissions in Morpheus have a “Default” access level, and can also be explicitly set with an individual permission level. If a resource permission has been explicitly set a non-default permission level, this will take precedence over the default access level. The same applies when combining a user in Morpheus with multiple roles. If a user has role A and role B, and role A has a resource permission access level with “None”, this will supersede the default access level of role B, even if the default for B is more permissive. This intended design allows users of Morpheus to configure rules for resource permissions in a similar way to firewall rules, where the Default rule acts at the top of the permission chain, but if a resource permission is set, this is treated as rule for that specific resource, and this rule will override the default behaviour.

With the above in mind, let’s use an example:

We have three User roles X and Y, and System Admin where:

i) X has default access for all resource permissions. The default access is FULL.
ii) Y has None access set for all resource permissions, and does not rely upon default access.
iii) System Admin is the default Morpheus System role. It has full feature access and FULL default resource permissions.

If a user has both roles X and Y, then the None resource access permissions on Y supersede the default (FULL) resource access permissions on X. The same applies if a user has both roles Y and System Admin.

Role X: Screen Shot on 2023-04-21 at 12-27-33.png - Droplr
Role Y: Screen Shot on 2023-04-21 at 12-28-21.png - Droplr
System Admin Role: Screen Shot on 2023-04-21 at 12-30-11.png - Droplr

Scenario 1) User permissions when using combined roles X and Y: Screen Shot on 2023-04-21 at 12-31-21.png - Droplr
Scenario 2) User permissions when using combined roles System Admin and Y: Screen Shot on 2023-04-21 at 12-32-25.png - Droplr

The more permissive default permissions on role X or role System Admin will not supersede the lower permissions on Y, as Y has explicitly set “None” on those resource permissions. If we would like role X or role System Admin to supersede those permissions on role Y then we should change the individual resource permissions on role Y to “Default” and change the Default permission to “None”

I hope this helps you with your RBAC setup.