feat: [UIE-9794] - IAM: Enable account_viewer to access users table (#13189)

aaleksee-akamai · web-flow · commit 9263baf25692 · 2025-12-15T09:28:51.000+01:00
* feat: [UIE-9794] - IAM: Enable account_viewer to access users table

* changesets

* fix a tooltip
diff --git a/packages/manager/.changeset/pr-13189-changed-1765378735594.md b/packages/manager/.changeset/pr-13189-changed-1765378735594.md
@@ -0,0 +1,5 @@
+---
+"@linode/manager": Changed
+---
+
+IAM: Enable account_viewer to access users table ([#13189](https://github.com/linode/manager/pull/13189))
diff --git a/packages/manager/src/features/IAM/Users/UsersTable/UserRow.tsx b/packages/manager/src/features/IAM/Users/UsersTable/UserRow.tsx
@@ -30,10 +30,11 @@ export const UserRow = ({ onDelete, user }: Props) => {
   const { data: permissions } = usePermissions('account', [
     'delete_user',
     'is_account_admin',
+    'view_account',
   ]);
 
   const { isIAMDelegationEnabled } = useIsIAMDelegationEnabled();
-  const canViewUser = permissions.is_account_admin;
+  const canViewUser = permissions.view_account;
 
   // Determine if the current user is a child account with isIAMDelegationEnabled enabled
   // If so, we need to show the 'User type' column in the table
diff --git a/packages/manager/src/features/IAM/Users/UsersTable/Users.tsx b/packages/manager/src/features/IAM/Users/UsersTable/Users.tsx
@@ -199,8 +199,8 @@ export const UsersLanding = () => {
               disabled={!canCreateUser}
               onClick={() => setIsCreateDrawerOpen(true)}
               tooltipText={
-                canCreateUser
-                  ? 'You cannot create other users as a restricted user.'
+                !canCreateUser
+                  ? 'You do not have permission to create other users.'
                   : undefined
               }
             >
diff --git a/packages/manager/src/features/IAM/Users/UsersTable/UsersActionMenu.test.tsx b/packages/manager/src/features/IAM/Users/UsersTable/UsersActionMenu.test.tsx
@@ -44,6 +44,7 @@ describe('UsersActionMenu', () => {
         permissions={{
           is_account_admin: true,
           delete_user: true,
+          view_account: true,
         }}
         username="test_user"
       />
@@ -99,6 +100,7 @@ describe('UsersActionMenu', () => {
         permissions={{
           is_account_admin: true,
           delete_user: true,
+          view_account: true,
         }}
         username="current_user"
       />
diff --git a/packages/manager/src/features/IAM/Users/UsersTable/UsersActionMenu.tsx b/packages/manager/src/features/IAM/Users/UsersTable/UsersActionMenu.tsx
@@ -10,7 +10,7 @@ import type { PickPermissions, UserType } from '@linode/api-v4';
 import type { Action } from 'src/components/ActionMenu/ActionMenu';
 
 type UserActionMenuPermissions = PickPermissions<
-  'delete_user' | 'is_account_admin'
+  'delete_user' | 'is_account_admin' | 'view_account'
 >;
 
 interface Props {
@@ -29,6 +29,7 @@ export const UsersActionMenu = (props: Props) => {
     useDelegationRole();
 
   const isAccountAdmin = permissions.is_account_admin;
+  const isAccountViewer = permissions.view_account;
   const canDeleteUser = isAccountAdmin || permissions.delete_user;
   const isDelegateUser = userType === 'delegate';
 
@@ -46,8 +47,8 @@ export const UsersActionMenu = (props: Props) => {
         });
       },
       hidden: shouldHideForChildDelegate,
-      disabled: !isAccountAdmin,
-      tooltip: !isAccountAdmin
+      disabled: !isAccountViewer,
+      tooltip: !isAccountViewer
         ? 'You do not have permission to view user details.'
         : undefined,
       title: 'View User Details',
@@ -59,8 +60,8 @@ export const UsersActionMenu = (props: Props) => {
           params: { username },
         });
       },
-      disabled: !isAccountAdmin,
-      tooltip: !isAccountAdmin
+      disabled: !isAccountViewer,
+      tooltip: !isAccountViewer
         ? 'You do not have permission to view assigned roles.'
         : undefined,
       title: 'View Assigned Roles',
@@ -72,8 +73,8 @@ export const UsersActionMenu = (props: Props) => {
           params: { username },
         });
       },
-      disabled: !isAccountAdmin,
-      tooltip: !isAccountAdmin
+      disabled: !isAccountViewer,
+      tooltip: !isAccountViewer
         ? 'You do not have permission to view entity access.'
         : undefined,
       title: 'View Entity Access',
diff --git a/packages/queries/.changeset/pr-13189-changed-1765378759554.md b/packages/queries/.changeset/pr-13189-changed-1765378759554.md
@@ -0,0 +1,5 @@
+---
+"@linode/queries": Changed
+---
+
+IAM: Enable account_viewer to access users table ([#13189](https://github.com/linode/manager/pull/13189))
diff --git a/packages/queries/src/account/users.ts b/packages/queries/src/account/users.ts
@@ -29,11 +29,9 @@ export const useAccountUsers = ({
   filters?: Filter;
   params?: Params;
 }) => {
-  const { data: profile } = useProfile();
-
   return useQuery<ResourcePage<User>, APIError[]>({
     ...accountQueries.users._ctx.paginated(params, filters),
-    enabled: enabled && !profile?.restricted,
+    enabled,
     placeholderData: keepPreviousData,
   });
 };

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@linode/manager": Changed
 +---
++
 +IAM: Enable account_viewer to access users table ([#13189](https://github.com/linode/manager/pull/13189))
Original file line number	Diff line number	Diff line change
`@@ -199,8 +199,8 @@ export const UsersLanding = () => {`
`199`	`199`	`disabled={!canCreateUser}`
`200`	`200`	`onClick={() => setIsCreateDrawerOpen(true)}`
`201`	`201`	`tooltipText={`
`202`		`- canCreateUser`
`203`		`- ? 'You cannot create other users as a restricted user.'`
	`202`	`+ !canCreateUser`
	`203`	`+ ? 'You do not have permission to create other users.'`
`204`	`204`	`: undefined`
`205`	`205`	`}`
`206`	`206`	`>`