redhat-developer · JessicaJHee · Oct 17, 2025
diff --git a/.ibm/pipelines/env_variables.sh b/.ibm/pipelines/env_variables.sh
@@ -82,6 +82,12 @@ QE_USER5_ID=$(cat /tmp/secrets/QE_USER5_ID)
 QE_USER5_PASS=$(cat /tmp/secrets/QE_USER5_PASS)
 QE_USER6_ID=$(cat /tmp/secrets/QE_USER6_ID)
 QE_USER6_PASS=$(cat /tmp/secrets/QE_USER6_PASS)
+QE_USER7_ID=$(cat /tmp/secrets/QE_USER7_ID)
+QE_USER7_PASS=$(cat /tmp/secrets/QE_USER7_PASS)
+QE_USER8_ID=$(cat /tmp/secrets/QE_USER8_ID)
+QE_USER8_PASS=$(cat /tmp/secrets/QE_USER8_PASS)
+QE_USER9_ID=$(cat /tmp/secrets/QE_USER9_ID)
+QE_USER9_PASS=$(cat /tmp/secrets/QE_USER9_PASS)
 
 K8S_CLUSTER_TOKEN_TEMPORARY=$(cat /tmp/secrets/K8S_CLUSTER_TOKEN_TEMPORARY)
 

diff --git a/.ibm/pipelines/resources/config_map/app-config-rhdh-rbac.yaml b/.ibm/pipelines/resources/config_map/app-config-rhdh-rbac.yaml
@@ -136,4 +136,5 @@ permission:
     admin:
       users:
         - name: user:default/rhdh-qe
+    policyDecisionPrecedence: conditional # default behavior
 includeTransitiveGroupOwnership: true
diff --git a/.ibm/pipelines/resources/config_map/rbac-policy.csv b/.ibm/pipelines/resources/config_map/rbac-policy.csv
@@ -39,3 +39,17 @@ p, role:default/catalog_reader, catalog.entity.read, read, allow
 g, user:default/rhdh-qe, role:default/extension
 p, role:default/extension, extension-plugin, read, allow
 p, role:default/extension, extension-plugin, create, allow
+
+p, role:default/all_resource_reader, catalog-entity, read, allow
+p, role:default/all_resource_reader, catalog-entity, create, allow
+g, user:default/rhdh-qe-7, role:default/all_resource_reader
+
+p, role:default/all_resource_denier, catalog-entity, read, deny
+p, role:default/all_resource_denier, catalog-entity, create, allow
+g, user:default/rhdh-qe-8, role:default/all_resource_denier
+
+g, user:default/rhdh-qe-7, role:default/owned_resource_reader
+g, user:default/rhdh-qe-8, role:default/owned_resource_reader
+
+g, user:default/rhdh-qe-9, role:default/all_resource_reader
+g, user:default/rhdh-qe-9, role:default/conditional_denier
diff --git a/.ibm/pipelines/value_files/values_showcase-rbac.yaml b/.ibm/pipelines/value_files/values_showcase-rbac.yaml
@@ -385,6 +385,31 @@ upstream:
               params:
                 claims:
                   - \$ownerRefs
+            ---
+            result: CONDITIONAL
+            roleEntityRef: 'role:default/owned_resource_reader'
+            pluginId: catalog
+            resourceType: catalog-entity
+            permissionMapping:
+              - read
+            conditions:
+              rule: IS_ENTITY_OWNER
+              resourceType: catalog-entity
+              params:
+                claims:
+                  - \$currentUser
+            ---
+            result: CONDITIONAL
+            roleEntityRef: 'role:default/conditional_denier'
+            pluginId: catalog
+            resourceType: catalog-entity
+            permissionMapping:
+              - read
+            conditions:
+              rule: HAS_LABEL
+              resourceType: catalog-entity
+              params:
+                label: test-label
             EOF
 
             ./install-dynamic-plugins.sh /dynamic-plugins-root

diff --git a/e2e-tests/playwright/e2e/plugins/rbac/rbac.spec.ts b/e2e-tests/playwright/e2e/plugins/rbac/rbac.spec.ts
@@ -786,4 +786,61 @@ test.describe.serial("Test RBAC", () => {
       await expect(dropdownMenuLocator).toBeHidden();
     });
   });
+
+  test.describe
+    .serial("Test RBAC plugin: policyDecisionPrecedence: conditional — prioritize conditional before basic (default behavior)", () => {
+    test("should allow read as defined in basic policy and conditional", async ({
+      page,
+    }) => {
+      const common = new Common(page);
+      const uiHelper = new UIhelper(page);
+
+      // Should allow read for user7: has static allow read via CSV and is also permitted via conditional policy
+      await common.loginAsKeycloakUser(
+        process.env.QE_USER7_ID,
+        process.env.QE_USER7_PASS,
+      );
+      await uiHelper.openSidebar("Catalog");
+      await uiHelper.selectMuiBox("Kind", "Component");
+      await uiHelper.searchInputPlaceholder("mock-component");
+      await expect(
+        page.getByRole("link", { name: "mock-component-qe-7" }),
+      ).toBeVisible();
+    });
+
+    test("should allow read as defined in conditional policy, basic policy should be disregarded", async ({
+      page,
+    }) => {
+      const common = new Common(page);
+      const uiHelper = new UIhelper(page);
+
+      // Should allow read for user8: conditional policy takes precedence over static deny read via CSV
+      await common.loginAsKeycloakUser(
+        process.env.QE_USER8_ID,
+        process.env.QE_USER8_PASS,
+      );
+      await uiHelper.openSidebar("Catalog");
+      await uiHelper.selectMuiBox("Kind", "Component");
+      await uiHelper.searchInputPlaceholder("mock-component");
+      await expect(
+        page.getByRole("link", { name: "mock-component-qe-8" }),
+      ).toBeVisible();
+    });
+
+    test("should deny read as defined in conditional policy, basic policy should be disregarded", async ({
+      page,
+    }) => {
+      const common = new Common(page);
+      const uiHelper = new UIhelper(page);
+
+      // Should allow read for user9: conditional deny policy takes precedence over allow read via basic
+      await common.loginAsKeycloakUser(
+        process.env.QE_USER9_ID,
+        process.env.QE_USER9_PASS,
+      );
+      await uiHelper.openSidebar("Catalog");
+      await uiHelper.selectMuiBox("Kind", "Component");
+      await uiHelper.verifyTableIsEmpty();
+    });
+  });
 });