Hi Rui,
Plural I spot the issue. When we change the API host in "Director resource permissions" to "No access" the Job it's not added to the Console. I figure out that the "Console" and "Job" permission must have read-write to write the JobAcl. Do you see any possible security problem with this?
Super that you found it.
For the security problem with this, as long as you do not share to this restricted user any page with the Job or Console configuration form, this will be fine. If the restricted user will get access to a page with Job or Console, he/she will be able to save it.
If your communication between Web => API is protected by OAuth2 (by default is Basic auth, not OAuth2), then you can not set config OAuth2 scope, and then this user will not be able to work with any configuration. This is called Access to functions and you can find it here:
https://bacularis.app/doc/users/function-access.html
Plural When we delete the Job the JobAcl it's not delete from the bacula-dir.conf file. We need to go to the Console ACL page and press the Save button to apply the changes to the file.
Yes, this is true. I agree it might be good to have this function.
BTW: The JobAcl and rest *Acl directive approach for storing resource names is very relaxed becuse we can put in these directives any string (ex. non-existing resource name) and Bacula will not report any error. I mean that Bacula treat these values more like strings that the resource name references.
I noted this problem to solve. Thanks for pointing it.
Best regards
Marcin Haba (gani)
