Certain users can see catalog items from all Content Sharing Policies in Aria Automation, even when the items are not shared to them

Certain users can see catalog items from all Content Sharing Policies in Aria Automation, even when the items are not shared to them

search cancel

Certain users can see catalog items from all Content Sharing Policies in Aria Automation, even when the items are not shared to them

book

Article ID: 412535

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

These users have the Viewer or Administrator role for Service Broker assigned to them
The user roles are visible in their bearer token once decoded. It includes a bit like this:
- "perms": [
  "csp:org_member",
  "external/<UUID>/catalog:viewer",
  "external/<UUID>/catalog:user"
  ],

Environment

VMware Aria Automation 8.x

Cause

This is expected behaviour for the viewer role. For more information please see these resources:

Resolution

If users should not be able to view all catalog items, then they should only have the Service Broker User assigned to them:

Log in as an Org Owner and come to the Identity & Access Management screen of Aria Automation
Remove Service Broker roles other than User
The user must now log out and back in for the change to apply

Feedback

thumb_up Yes

thumb_down No