hyades icon indicating copy to clipboard operation
hyades copied to clipboard
verified publisher icon DependencyTrack

ACCESS_MANAGEMENT permission enables user to view all projects

Open Strakeln opened this issue 1 year ago • 3 comments

Current Behavior

If a user or a team is granted ACCESS_MANAGEMENT permission, they are able to view all projects, even if their VIEW_PORTFOLIO permission is scoped (via team+portfolio access control) only to specific projects.

It's very possible that this is intentional/expected behavior, given that access management is a system-wide permission and not available on a per-project basis. And I certainly note that Portfolio Access Control is in beta.

Steps to Reproduce

  1. Login with admin credentials
  2. Create a new user
  3. Create a new team
  4. Assign new user to new team
  5. Enable Portfolio Access Control in admin panel
  6. Grant VIEW_PORTFOLIO and ACCESS_MANAGEMENT permissions to the new team
  7. Restrict new team to some subset of projects
  8. Logout
  9. Login with new user credentials
  10. Navigate to Projects
  11. Note that all projects are visible

Expected Behavior

If the same reproduction steps from above are followed, but without granting ACCESS_MANAGEMENT permission in step 6, then the projects the user can see are limited to the projects assigned to the team. This was my expectation for the same user with ACCESS_MANAGEMENT permission granted. That said, given that ACCESS_MANAGEMENT is a system-wide permission, it's very possible that the current behavior is what is intended.

Hyades Version

hyades-api-server:main-5.6.0-snapshot hyades-frontend:main-5.5.0 mirror-service:main-0.6.0-snapshot-native notification-publisher:main-0.6.0-snapshot-native repository-meta-analyzer:main-0.6.0-snapshot-native vulnerability-analyzer:main-0.6.0-snapshot-native

Repository Type

N/A

Browser

Mozilla Firefox

Checklist

Strakeln avatar Jul 30 '24 18:07 Strakeln

Indeed this behavior is intended. Reason being that, with the ACCESS_MANAGEMENT permission, you could just assign any permission and any project to yourself that you desire.

Restricting the projects users with ACCESS_MANAGEMENT can see would be like locking 3 out of 5 doors, but then giving them the master key that can unlock all doors anyway.

That being said, if you have input as to how you would want this to work, we would most certainly like to hear that!

nscuro avatar Jul 30 '24 18:07 nscuro

Makes complete sense to me. As you point out, there's no point in locking doors to keep someone with the master key out.

Instituting the desired behavior - access management restricted to specific projects - requires introducing the ability to manage access on a per-project level, which is no small change. My team will be looking into how we might implement such a change and whether it is something we really need/want. If we do go down that path, we'll discuss it here and submit a PR for consideration.

Apologies for making a defect that should have been a question. It straddled the line, so I defaulted to defect.

Strakeln avatar Jul 30 '24 18:07 Strakeln

No worries at all!

You are also not alone in wanting more fine grained ACLs, see #1075 and #1406. A PR with initial work was already contributed by @zprebosnyak-lm: https://github.com/DependencyTrack/hyades-apiserver/pull/800

nscuro avatar Jul 30 '24 19:07 nscuro