RBAC issues (Auth role taking priority)


I am currently trying to set an RBAC policy to hide a page “P” from a user with a role of “X”. The way I do this is by doing the following steps

  1. Make sure target user has a role of X applied to them.

  2. Navigating to the permissions page for the page I want to hide and selecting “Deny” on Read page “P”, then saving the changes.

This does not hide the page. However, if the “Deny” on Read page “P” is set on the Authenticated role instead, the page is successfully hidden, regardless of the state of Read page on role X, which doesn’t make sense, since according to the documentation, common roles should have priority over the Auth role.

I have attached some images showing the current setup for the user. I am using v2021.9.6, and I’m currently unable to upgrade to the current version of corteza.


Looks OK on my end (I spun up a fresh instance for your version) – Home2 has the deny read for the new role.

Please check:

  • did you save the change in the permission modal window; can you double-check the perm. is set correctly?
  • did you give the test user the role after you logged in with him? In order to apply role changes you need to re-authenticate. You can check in the network dev tools