OpenCTI-Platform
"Phantom" Orgs on a User
Description
When certain users (not all) are part of a parent-child org structure, we attempted to update the org structure to account for a newly created "part-of" relationship. In the user's profile settings page, we removed all orgs from the user's account. However after changes were saved without any orgs assigned to the user, we observed that some of the organizations and their part-of relationships remained on the users account. The user also could still access reports, even though their profile should have been saved with no org relationship.
When we attempted to re-instate the user's org (and their inherited part-of relationships), some of the orgs reappeared (not all). We removed all orgs again, and re-saved, and the "phantom" orgs still remained.
We allowed for multiple days to pass on this configuration setting to ensure that there was no time-delay issues causing the "phantom" orgs to remain.
Environment
- OS (GCP)
- OpenCTI version: { 6.6.13 }
- OpenCTI client: { Frontend }
- Other environment details:
Reproducible Steps
Steps to create the smallest reproducible scenario:
- Remove orgs from user's profile, and save. See phantom orgs
- Re-add orgs from user's profile and save
- Remove orgs from user's profile and save, phantom orgs remain
Expected Output
We expect the platform to save all current org assignments so that the user only has access to the reports they should see.
Actual Output
Despite removing all org assignments, the user still has access to 100's of reports under the old org assignments
Screenshots (optional)
@jw-NYC-001 We are investigating this issue. Could you share with us a screenshot of your rules screen?
In your screenshots, we're exactly looking for the following information:
- whether or not the rule Organization propagation via participation is enabled or not
- the last time an event has been processed by the engine
@jw-NYC-001 Could you send the result of this query on the user that has fantom organizations ?
query {
user(id:"USER-ID") {
id
objectAssignedOrganization {
edges {
node {
id
name
}
}
}
objectOrganization {
edges {
node {
id
name
}
}
}
}
}
@SouadHadjiat
{ "data": { "user": { "id": "4da3c7ef-4ee3-400f-b1c8-cdd5a2a6a769", "objectAssignedOrganization": { "edges": [] }, "objectOrganization": { "edges": [ { "node": { "id": "3d99538b-5b74-4e03-b895-35d909120975", "name": "NYC Cyber Command" } }, { "node": { "id": "c5745b18-cf70-4067-81e8-59bd9b94d685", "name": "NYC3 Threat Management" } } ] } } } }
@jw-NYC-001 So these two organizations have inferred relationships with this user, that have been created by this rule
Could you try to disable it, wait until it's complete (it will delete inferred relationships that were created by the rule), then enable it again ?
We are identifying a time in two weeks to test this which will have minimal impact on our team. Will will update this thread when we have results.
@SouadHadjiat - Please be advised that we are starting to implement a test for this suggested fix this week. Due to the risk that turning org propagation off and on may have on some of our current workloads, we were holding on implementing. Please do not remove this from your assignment yes has we haven't verified if this has been fixed.
@SouadHadjiat - Please note that this issue is resolved. By turning off and on the propagation rule we were able to hit a "reset" on the org structure and we no longer see "phantom orgs." However please note that we are seeing some unusual behavior on the parent-child relationships of certain orgs, and they are not appearing within the org-tree structure for users to access the reports. We will submit a separate ticket for this issue.