Well, quickly looking at the way we have implemented access control, it seems we only check for one permission per one action. I guess that's why you don't have missing permissions if at least one of them are present. Currently it seems if we add the action into multiple permission blocks, it would treat it as "at least one of those permissions allow this action", which is quite opposite you want to achieve.

As a solution I'd suggest:

• Either show errors on each requested action (such as loading the page, checking for categories, etc). For loading the page, create_job_invocations permission should be enough.
• Or adjust the whole system to be able to check for multiple permissions for one action.

But that's just my observations, @adamruzicka, did I miss anything?

Yeah, that's in line with what I've seen. Out of the two options you suggested I'd vote for the second. There are ~five permissions you really need to be able to trigger a job and I'd prefer not getting to the form at all if I'm missing any rather than seeing the form which bunch of unauthorized errors all over the place. Otoh, and maybe that's just me being pessimistic, I'm pretty sure that there's a part of the wider foreman ecosystem which relies on the current behavior when any permission suffices

Thank you for your input. I see it the same way. I can somehow work around it and make it function as needed just for this case, but I was unfortunately hoping that there is already a proper way to approach this permission issue.

The question is, should we even allow user to get "create_job_invocations" permission without all other 4 required ones? Should it implicitly add these? Should we have any validations? I know this would open a can of worms by introducing dependency between permissions, but from user perspective, I don't want to be able to define meaningless combinations of permissions. With more complex wizards, we'll get to similar situations more often.

EDIT: to be clear, the proper solution IMHO should not block this PR and work around solution is fine by me here

Should we then actually kinda enforce using predefined roles? Which can contain all the needed perms?

I'm going to write a post on the Discourse about this overall permission issue, so maybe we'll get more opinions/proposals

I've updated the PR to be ready for review. The permissions are taken from a new API (theforeman/foreman#9902). Could anyone please take a look at it?

I noticed that it takes a bit of time to display the permission denied panel, first the wizard is displayed, then the panel hops in. But that is just a minor annoyance, otherwise works as described

I noticed that it takes a bit of time to display the permission denied panel, first the wizard is displayed, then the panel hops in. But that is just a minor annoyance, otherwise works as described

Thanks for the review. You're right about this - I kinda ignored it, but if it's too annoying, I can for sure add a "loading" page instead of it in the future.

Thank you @kmalyjur , @ofedoren, @ares & @pondrejk !