defect Urgent: Defect with CI permissions

[Dan Munns]

Hi all, 

Since the update yesterday the way CI permissions are dealt with has changed. Allow used to take precedence (and I raised an issue around this previously) but now Deny seems to take precedence which means that many of our CIs are now not visible to anyone. 

I have a team with all our staff in so that we can make use of the visibility functionality. This team is allowed on most of the CIs, but CIs which are only for certain teams have All Staff set to deny. The team is then set to allow and this has worked fine until yesterday. Now the only way I can make the CIs visible is to set the All Staff list to allow which I cant do as it will show all CIs which we dont want. 

Can this be looked at and fixed as a matter of urgency please?

@Victor @Steven Boardman @Ehsan

[Guest Chaz]

Hi @Dan Munns, just had a look at it using the current build and it appears to be working as designed. If you a user is explicitly assigned to the Service and then excluded from the CI then that trumps all other configuration for that user, but this is by design.

Have you enabled the new setting com.hornbill.servicemanager.services.subscriptions.allowSubgroupsInclusion which takes it further by including hierarchy in it's decision and that could be the reason for the change in behaviour you're seeing?

[Dan Munns]

@Chaz I havent changed any settings. I performed the update last night (this morning maybe 0100 ish) and when I came in this morning was told a number of CIs had disappeared.

The defect was reported by myself in Nov, and accepted as a defect so I don't know what has changed since then. 

We have now built a number of services which rely on this functionality working the way it did in Nov after the fix was released. 

 

 

[Guest Chaz]

@Dan Munns carried on testing and found that some combinations cause this to happen. We're looking into it now.

[Dan Munns]

@Chaz any update on this please? 

This is causing a lot of issues today.

[ArmandoDM]

Hi @Dan Munns

the fix has been deployed to your instance now.

Can you please check and let us know if its sorted?

Thanks

Armando

[Dan Munns]

@ArmandoDM still the same issue. 

I have logged off and back on, cleared cache and refreshed (not necessarily in that order) and no change. 

[Guest Chaz]

@Dan Munns the scenario we found and deployed a fix for was this:
 

• Multiple teams support a Service and are included as subscribers to the catalog
• When configuring the catalog's visibility, exclude the first team in the list from being able to see it (any others wouldn't be considered because the first already granted visibility)

Is you configuration different from this? As you have a success plan, it may be worth raising a support request for this issue.

[Dan Munns]

@Chaz I have raised an incident ticket already. 

My issue is this: 

On the service that this CI resides in I have two lists; All Staff and the team. 

The All Staff list is excluded from this CI but can use all other CIs within the service. The team can use this and all other CIs within the service. 

This used to work fine until today. 

Now, because the users in the team are also within the All Staff list, they are denied access to the CI. 

This has impacted almost all of our services and as such has generated a large number of calls. 

If possible can you roll back the update on my instance until this has been resolved?

[Guest Chaz]

Managed to resolve this after reaching out to Dan, we'll have something ready early next week in the App Store as a permanent fix.