diff --git a/environments/enable-secure-rbac.yaml b/environments/enable-secure-rbac.yaml index 2376349c4d..324e786692 100644 --- a/environments/enable-secure-rbac.yaml +++ b/environments/enable-secure-rbac.yaml @@ -878,7 +878,7 @@ parameter_defaults: value: "rule:admin_api" neutron-get_flavor: key: "get_flavor" - value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or role:reader" neutron-update_flavor: key: "update_flavor" value: "rule:admin_api" @@ -1181,10 +1181,13 @@ parameter_defaults: value: "rule:admin_api or role:data_plane_integrator" neutron-delete_port: key: "delete_port" - value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s)" + value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner" + neutron-shared_policy: + key: "shared_qos_policy" + value: "field:policies:shared=True" neutron-get_policy: key: "get_policy" - value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy" neutron-create_policy: key: "create_policy" value: "rule:admin_api" @@ -1362,12 +1365,15 @@ parameter_defaults: neutron-admin_owner_or_sg_owner: key: "admin_owner_or_sg_owner" value: "rule:owner or rule:admin_or_sg_owner" + neutron-shared_security_group: + key: "shared_security_group" + value: "field:security_groups:shared=True" neutron-create_security_group: key: "create_security_group" value: "rule:admin_api or (role:member and project_id:%(project_id)s)" neutron-get_security_group: key: "get_security_group" - value: "rule:admin_api or (role:reader and project_id:%(project_id)s)" + value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_security_group" neutron-update_security_group: key: "update_security_group" value: "rule:admin_api or (role:member and project_id:%(project_id)s)"