opencti
opencti copied to clipboard
OpenCTI-Platform
Workbench: user not authorised to access a workbench redirected to loggin page
Requirement
As per the last comment, this ticket which was previously a bug is now a feautre with the follwing scope: Analyst Workbench access and creation should not be linked to the Import Knowledge capability, but only Access Knowledge. The goal of this ticket is now to update the capability controling the Workbench
Description
A user who does not have authorisation to access a workbench in an incident, for example, will still see the workbench. By clicking on it he will be redirected to the loggin page (while remaining logged in). It might be better to display a message when the user clicks: "you do not have authorisation to access this workbench", or not to display the workbench to an unauthorised user.
UPDATE: A user having access to an Entity should be able to create an Analyst Workbench to propose modification. Validation of this Analyst Workbench must be under Create/Update Knowledge.
Environment
OpenCTI 5.12.29
Reproducible Steps
Steps to create the smallest reproducible scenario:
- Create a workbench in an incident with high right access
- Go to the incident with a user who does not have the rights to consult the workbench in the incident
- Click on the workbench
Expected Output
A non-authorisation message is displayed to indicate that access rights are insufficient or the workbench is not displayed at all for the unauthorised user.
Actual Output
The unauthorised user is redirected to the loggin page (without being logged out) after clicking on the workbench.
Screenshots (optional)
@nino-filigran What behavior do we expect ?
- Message with "you do not have authorisation to access this workbench", or
- not to display the workbench to an unauthorised user.
I'd say the first one Message with "you do not have authorisation to access this workbench", because otherwise, if another user ask to go in the workbench and no workbench is displayed, the user might think it's a bug.
Decision: not display an error message, disable the field and hide the 2 CTAs.
cc @Jipegien
Outcome after testing:
- to access the workbench in data, you need the capability "import knowledge". But to have it in the list (outside the context of an entity), you need "create update exploration".
- having the capability "import file" and "access knowledge" allows you to go in the workbench, edit the workbench click on validate BUT a validation happens when trying to ingest the data: data is not ingested (error name 'FORBIDDEN ACCESS' message 'you are not allowed to do this'). This is the same beahvior if you only have the "create update exploration" capbility.
- You indeed need the "create knowledge" capability to create successfully.
Therefore, even though you can see there is a workbench, you cannot perform any action (which does not put at risk the paltform). As mentioned in this ticket, the way we handle the various redirections in case you have no rights is not unified accross the platform and we will need a task to handle this.
Given in this other bug, we have decided that the harmonization of the behavior should be handled as a feature, I assume this one would fall into the same bucket.
As a result, I propose to close this bug for now without fixing it, since there is "nothing" to fix
cc @Jipegien
Ok for not fixing it.
Analyst Workbench access and creation should not be linked to the Import Knowledge capability, but only Access Knowledge, because an Analyst Workbench can be created from scratch. Rationale: Every users capable of accessing Knowledge should be able to propose modification (in a controlled environement -> Analyst Workbench). The validation of an Analyst Workbench must stay under the capability of Create Knowledge. Rationale: By validating an Analyst Workbench, data will be created or updated. Thus, it must be under the Create/update Knowledge capability.
So, as a feature, we must modify the capability controlling Analyst Workbench
