maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

Adjust RoleEligibilitySchedule scope

Open NZLostboy opened this issue 1 year ago • 4 comments

I have been doing some work around the CIS checks and came across this. These two tests seem like they might be over scoped, or at least that is what my testing seemed to indicate. Caveat I have an less than ideal test environment at the moment so I want a second opinion.

The original scope was RoleEligibilitySchedule.ReadWrite.Directory but in testing RoleEligibilitySchedule.Read.Directory seemed to work fine.

Could someone else test and confirm this for me? This would allow us to run these tests without the -Privileged flag

NZLostboy avatar Aug 19 '24 09:08 NZLostboy

This issue thread has some good context of where this scope comes into play.

https://github.com/maester365/maester/issues/195

soulemike avatar Aug 19 '24 14:08 soulemike

This issue thread has some good context of where this scope comes into play.

#195

@Snozzberries just to make sure I understand #195 properly. The issue is a user with RoleEligibilitySchedule.Read.Directory cannot use Get-MtRole to get roles where they're being provided by PIM?

Just wanting to make sure I understand the issue before I test further

NZLostboy avatar Aug 20 '24 00:08 NZLostboy

This issue thread has some good context of where this scope comes into play. #195

@Snozzberries just to make sure I understand #195 properly. The issue is a user with RoleEligibilitySchedule.Read.Directory cannot use Get-MtRole to get roles where they're being provided by PIM?

Just wanting to make sure I understand the issue before I test further

Less of an issue with Get-MtRole and more with Get-MtRoleMember. We are only able to list members of eligible roles with RoleEligibilitySchedule.ReadWrite.Directory. We can list active members with just Read though.

soulemike avatar Aug 20 '24 00:08 soulemike

This issue thread has some good context of where this scope comes into play. #195

@Snozzberries just to make sure I understand #195 properly. The issue is a user with RoleEligibilitySchedule.Read.Directory cannot use Get-MtRole to get roles where they're being provided by PIM? Just wanting to make sure I understand the issue before I test further

Less of an issue with Get-MtRole and more with Get-MtRoleMember. We are only able to list members of eligible roles with RoleEligibilitySchedule.ReadWrite.Directory. We can list active members with just Read though.

Sorry you are right, Get-MtRoleMember is what I meant. Alright I understand the issue, I will see if there is any other way around it otherwise I will probably have to close this this PR.

Seems a little unfortunate to require the write perm for this particular issue.

Thank you for the clarification.

NZLostboy avatar Aug 20 '24 01:08 NZLostboy