Hi everyone,
I’m working with the Dockerized version of Greenbone Community Edition (GVM 26.11.x), and I’m trying to configure a fully role-based setup by automating the process through a custom script running inside the gvmd container. However, the permission model is giving me a hard time 
so I’m here looking for help 
I want to create two users (user1 and user2), each belonging to two different roles (role1 and role2), relying only on role-based permissions.
Each role has the required permissions to create tasks, start/stop tasks, view/download reports.
This setup works correctly with permissions applied only to the roles, without assigning any direct user-level permissions (other than the automatically created get_users permission so they can view their own profile in the GUI).
Now, I want to extend the setup by creating a third user (user3) who is a member of both role1 and role2.
User3 should be able only to see tasks created by user1 and user2, start/stop those tasks, view/download their report and modify tasks and their targets/schedules if needed.
…but:
I do not want to use the “Super” permission on the roles.
From what I’ve read, granting “Super” on a role makes the user effectively the owner of all resources in that role, which exposes everything (notes, alerts, tags, configs, filters, overrides, etc.), not just tasks and reports. My question:
Is it possible to:
give user3 read/write access only to tasks and reports created by all users within the roles it belongs to
✘ without granting “Super” on those roles
(i.e., without exposing all other resource types like notes, alerts, filters, overrides, feeds, etc.)
In other words:
Can GVM assign object-level permissions specifically for:
-
tasks
-
reports
-
targets (linked to those tasks)
based purely on role membership, without elevating user3 to a full superuser for the entire role?
Or does the GVM permission model require “Super” on the role to inherit other users’ tasks?
Looking forward to hearing from you — best regards!
momsec