feat(orchestrator): improve permission denied error handling for workflow instances#2033
Merged
lokanandaprabhu merged 1 commit intoredhat-developer:mainfrom Jan 19, 2026
Conversation
lokanandaprabhu
requested review from
batzionb,
gciavarrini and
mareklibra
as code owners
Changed Packages
|
lokanandaprabhu
force-pushed
the
feature/rbac-permission-denied-panel
branch
from
60cf03b to
081d056
Compare
lokanandaprabhu
force-pushed
the
feature/rbac-permission-denied-panel
branch
from
081d056 to
6775b2c
Compare
|
mareklibra
approved these changes
Jan 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hey, I just made a Pull Request!
This PR improves the user experience when a user lacks permission to view a workflow instance. Instead of showing a generic error, users now see a clean "Access Denied" panel with actionable information.
Problem
When RBAC is enabled and a user tries to view a workflow instance without the orchestrator.instanceAdminView permission, they would see a confusing generic error. This was particularly problematic for:
Solution:
Backend (orchestrator-backend):
1. Which permission the user has (orchestrator.workflow or orchestrator.workflow.[workflowId])
2. Why access is denied (missing ownership info or different initiator)
3. What permission is needed (orchestrator.instanceAdminView)
Frontend (orchestrator):
Screenshot:
Access Denied (without instanceAdminView):
User has orchestrator.workflow.yamlgreet permission but lacks instanceAdminView. When accessing a workflow instance created externally (without initiatorEntity ownership info), the new PermissionDeniedPanel is displayed
After adding orchestrator.instanceAdminView permission to the user's role, they can now successfully view all workflow instance details - including those created externally or by other users.
✔️ Checklist