BloodHound icon indicating copy to clipboard operation
BloodHound copied to clipboard
verified publisher icon SpecterOps

Feature: Add no-access role for autoprovisioning

Open 0xd6cb6d73 opened this issue 5 months ago • 1 comments

Feature Description

Add a role which grants no access to anything so that it may be set as a default for the JIT provisioner.

Are you intending to implement this feature?

No

Current Behavior

JIT role provisioning uses a default role which it grants to all users who attempt to authenticate but do not have a relevant role claim/assertion. All existing roles grant read access to the graph at minimum. This is not desirable in situations where unauthorized users have network access to the BHCE instance.

Desired Behavior

Have a no-privilege role (or special option) to not grant any privileges to users who do not have relevant authorization.

Use Case

The purpose would be to have a safe deployment of JIT user and role provisioning in environments in which most people (John from accounting) are not expected to be legitimate BHCE users.

0xd6cb6d73 avatar Jul 25 '25 12:07 0xd6cb6d73