When scopes are defined and resources assigned to them, you can: • Restrict the resources displayed in the user interface (UI) to those assigned to the scope.
I think that sentence is not completely true. When the user logs in, the displayed information is filtered by "All resources in scope". However, the user is able to change the filter to "All resources", gaining visibility of them. Of course, the user cannot operate/manage them, but there is no restriction to display resources not assigned to the scope.
Is this the expected behaviour? Am I missing anything in SBAC configuration?
Re: Does Scope Based Access Control (OV 4.0) really restrict resource visibility?
This looks to be more of an individual perception on interpreting what is written in the user guide.
What is seen is as per design only unless it has any functional impacts on the environment.
I´m a volunteer in the HPE Forum. If this helps you with your issue, please click the thumb to register a Kudo. If it resolves the issue, please consider marking it as an Accepted Solution. The opinions expressed are the personal opinions of the authors, not of Hewlett Packard Enterprise.
Re: Does Scope Based Access Control (OV 4.0) really restrict resource visibility?
SBAC is used for delegation of administration, not for multi-tenancy. The All Resources In Scope is a way to mimic the behavior of multi-tenancy. But as you saw, it doesn't stop anyone from changing it to All Resources. And doing that does NOT mean one has Use rights. This is called out in the User Guide.
