I seem to be having a problem getting a role/grant set up to restrict a user to only a single target.
I have the user/account created on the Org. In the Project I have a role with a grant.
The user can log into the desktop and if I use the grant: id=;type=;actions=* the user can see all the targets.
If I try to lock the grant to: id="ttcp_5Bm7OSg6lZ";type=*;actions=*
the user can no longer see any targets.
If I try to change to even read only, id=*;type=*;actions=read,list
the user can not see any targets.
I am using the free version of HCP to test it out and see if it is a good fit.
Hi @plesher, if you are using the desktop client for the user, then you need the grant for authorize-session to allow them to see it (and connect to it). If that user logs in through the Admin UI, then they can read/list the targets without authorize-session.
I tried it without the quotes, even copy/pasting what you have and it is the same. The user can see only the one target in the web page, but in the desktop client, the user does not see any targets.
As soon as I change the id=*, the user sees all the targets in the desktop app.
Thank you again for all the help, unfortunately, I’m having the same issue.
I created a new role named target-consumer in the project with both of the grants you put above ( there is a , instead of ; in the second one ).
I added the user to target-consumer.
I used the existing role in the project and put your third grant in it and assigned the user to that.
The user is limited to only one target as expected in the web page, but the desktop app still shows zero targets. If I change it to id=*, then the user sees all the targets.
I also tried adding the same target-consumer role to the Org level and assigning the user to the role. Same problem.
Sorry for the late response, we will look into this and get back to you. This may be an issue with our desktop client specifically as the grants you have tried seem correct and you are getting correct behavior on the browser UI.