infisical icon indicating copy to clipboard operation
infisical copied to clipboard
verified publisher icon Infisical

Final machine ID permissions depend on the order roles were applied

Open kyzyl opened this issue 1 month ago • 0 comments

Describe the bug

When applying multiple roles to a machine ID, the final permissions that machine ID will obtain depends on the order in which the roles are applied.

Moreover, in the "Project Roles" view of a machine identity, the order the roles are display in is alphabetical, rather than the order they were applied in. Thus, there is no way to determine what permissions a machine ID will be granted by looking at the UI. You have to attempt to use the permissions, or re-apply the roles in a known order using the UI.

To Reproduce

Suppose the goal was to allow any machine with role allow-both to Describe Secret and Read Value, but any machine with role deny-read may not Read Value.

  1. Go to project > Access Management > Project Roles > Add Role and add allow-both role.
  2. Click Add Policies > Secrets > Add Policies and select Permission=Allow, Actions=[Describe Secret, Read Value]
  3. Click Save on allow-both.
  4. Go to project > Access Management > Project Roles > Add Role and add deny-read role.
  5. Click Add Policies > Secrets > Add Policies and select Permission=Forbid, Actions=[Read Value]
  6. Click Save on deny-read.
  7. Go to project > Access Management > Machine Identities > Add Identity and select an identity
  8. Select Role as allow-both, and remove all other roles. Click Add.
  9. Click on Edit Role(s) > Add Role and select deny-read. Click Save Roles.
  10. Add any secret to the project and attempt to read the value while authenticated as the identity. Permission will be denied. The deny-read role was saved last.
  11. Click Edit Role(s) > and delete deny-read. Change the remaining role from allow-both to deny-read and click Save Roles.
  12. Click Add Role and select allow-both. Click Save Roles. The role order is now reversed
  13. Attempt to read the secret value again. Permission will be granted. The allow-both role was saved last.

Thus, even though both attempts to read the secret had the same roles, the permissions obtained by the machine ID differed. It depends on the order the roles are saved in.

Also note that in the Project Roles view, the roles will appear in alphabetical order (allow-both first and deny-read second) regardless of the order the roles were added in. This means that someone arriving at the Project Roles page has no way to determine what permissions the MID will obtain just by looking at the roles it has.

Expected

It seems that role permissions are applied by summing permissions (with possible inversion) from top to bottom, typically with Forbid coming last. Given that, I would expect that roles follow the same convention, adding permissions top to bottom.

Additionally, I would expect that the roles can be re-ordered in the Edit Role(s) dialog, to avoid having to shuffle the value as described above. The Project Roles view should then preserve this order rather than an alphabetical ordering.

Screenshots

N/A

Platform you are having the issue on:

Running self-hosted in docker x86_64, infisical:v0.146.0-postgres

Additional context

kyzyl avatar Nov 12 '25 07:11 kyzyl