diff --git a/awx/main/access.py b/awx/main/access.py index badd3f415f..3c3a92884c 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -510,6 +510,8 @@ class OrganizationAccess(BaseAccess): I can change or delete organizations when: - I am a superuser. - I'm an admin of that organization. + I can associate/disassociate instance groups when: + - I am a superuser. ''' model = Organization @@ -541,7 +543,7 @@ class OrganizationAccess(BaseAccess): def can_attach(self, obj, sub_obj, relationship, *args, **kwargs): if relationship == "instance_groups": - if self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.admin_role: + if self.user.is_superuser: return True return False return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs) diff --git a/awx/main/tests/functional/test_rbac_instance_groups.py b/awx/main/tests/functional/test_rbac_instance_groups.py index 07a6c32c9f..2021f537ca 100644 --- a/awx/main/tests/functional/test_rbac_instance_groups.py +++ b/awx/main/tests/functional/test_rbac_instance_groups.py @@ -50,7 +50,7 @@ def test_ig_associability(organization, default_instance_group, admin, system_au organization.instance_groups.add(default_instance_group) assert admin_access.can_unattach(organization, default_instance_group, 'instance_groups', None) - assert oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None) + assert not oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None) assert not auditor_access.can_unattach(organization, default_instance_group, 'instance_groups', None) assert not omember_access.can_unattach(organization, default_instance_group, 'instance_groups', None)