VIEW_PORTFOLIO permissions ability to download the SBOM

[webmutation]

Current Behavior

Hello Currently to enable users to download the SBOM

We have to grant them PORTFOLIO_MANAGEMENT permission, this has a lot of privileges, namely the ability to delete a project, etc... that we do not want to grant to read only viewers. They may need to download the SBoM for report purposes, but that is the only operation they are required.

Proposed Behavior

Allow VIEW_PORTFOLIO to download the SBOM (enable the SBOM button to be visible).

This will allow us to enforce least privilege access principle.

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[msymons]

VIEW_PORTFOLIO should grant permission to download the "Inventory" BOM VIEW_VULNERABILITY should additionally grant permission to download the "Inventory with Vulnerabilities" and "VDR" variants

[mohitlakhera]

@msymons , Is the issue still open to work?