django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Members of groups syncing with Azure AD have Group role “Maintainer“

Open AndreyMZ opened this issue 1 year ago • 0 comments

Problem description

Group members added by the syncing with Microsoft Entra ID (ex. Azure AD) (https://github.com/DefectDojo/django-DefectDojo/pull/6128) have Group role “Maintainer“ that gives them the following permissions: Group_View, Group_Edit, Group_Manage_Members, Group_Member_Delete. This is bad because:

  1. It is insecure to allow all group members to manage the group.
  2. The synced groups are not expected not be managed in DefectDojo at all.

Root cause

https://github.com/DefectDojo/django-DefectDojo/blob/0bd2ac0ef1f03ae3aea939e6d79b76d5a6a1d8e6/dojo/pipeline.py#L119-L120

Possible solution

Set the Roles.Reader role instead.

AndreyMZ avatar Jun 26 '24 15:06 AndreyMZ