django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Create more granular permissions

Open mtesauro opened this issue 2 years ago • 2 comments

Is your feature request related to a problem? Please describe

Right now the ability to set a planned remediation date is only allowed if the user can edit a Finding. However, we really only want to allow devs to set a planned remediation date, and not change severity, false_positive, etc.

RBAC permissions are at the object level. To do the above, they would need to be more granular.

Describe the solution you'd like

More granular level of access control than at the object level. Ability to make specific portion of an object have differing permissions.

Describe alternatives you've considered

Currently, there isn't an alternative.

Additional context

Requested via a community member on Slack and put there so it would be included in the design discussions for 3.0.

mtesauro avatar May 13 '23 00:05 mtesauro

Any chances that in DD v3 it will be possible to add permissions for specific finding even if user have no rights to the whole product? This would help to work with servers/services owners in Defect Dojo even without seperate task manager which require integration.

WojTecH94 avatar Oct 26 '23 08:10 WojTecH94

https://github.com/DefectDojo/django-DefectDojo/issues/7396

manuel-sommer avatar Jan 30 '24 02:01 manuel-sommer

https://github.com/DefectDojo/django-DefectDojo/issues/7415

manuel-sommer avatar Mar 05 '24 16:03 manuel-sommer