RBAC does not let server-group scoped roles read all hosts ---------------------------------------------------------- Key: WFCORE-504 URL: https://issues.jboss.org/browse/WFCORE-504 Project: WildFly Core Issue Type: Bug Components: Domain Management Affects Versions: 1.0.0.Alpha15 Reporter: Brian Stansberry Assignee: Brian Stansberry Fix For: 1.0.0.Alpha16 The RBAC implementation is not allowing a server-group scoped role to read resources in the host=* tree unless one of these is true: 1) the host only contains a server mapped to the server group 2) the host doesn't contain any servers. This is consistent with handling of other "mappable" things but is contrary to the docs, which declare "In addition to these privileges, users in a server-group scoped role will have non-sensitive read privileges (equivalent to the Monitor role) for resources other than those listed above." but don't list these host resources. It's also unintuitive, as the s-g-s-r is actually allowed to add a server on the host, but can't read the other host resources before doing so. Also, asking the DC for the list of host names will include the host, but trying to read its root resource will result in a NoSuchResourceException. The issue dates back to 8.0, but recent changes to the console have resulted in this breaking console behavior.