ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard

Published 20 hours ago verified publisher icon ocsf

Change process run_as attribute to user_context

Open jp-harvey opened this issue 1 year ago • 6 comments

As per https://github.com/ocsf/ocsf-schema/discussions/238 the goal of this PR is to disambiguate the use of the user context in the process object. Based on the feedback on that discussion the field name has been changed, made recommended, and the description updated.

Note that the user profile has not been updated as proposed, after looking at the description of the user profile there probably does not need to be any additional clarity around that being the session user rather than the user context of the process.

jp-harvey avatar Oct 13 '22 01:10 jp-harvey

I thought that we are going to use the existing user attribute?

The user attribute in the user profile? That would restrict options and not solve the ambiguity. The user we're identifying in this case is a property of the observable rather than a characteristic of a class.

If referring to the user attribute in the dictionary, it was requested that it not be named the same so as not to cause a collision (Two of the 8 votes for changes requested this)

jp-harvey avatar Oct 13 '22 15:10 jp-harvey

No, not the user in the profile -- my question is, why not use the process.user? Note, process.user and the user defined in the profile are two different user objects.

rroupski avatar Oct 13 '22 15:10 rroupski

It was requested that it not be called user in the comments below the voting on the discussion:

image

jp-harvey avatar Oct 13 '22 16:10 jp-harvey

In this case, the user is a member of the process object, which provides the context and the role. What's the benefit to create yet another User attribute.

IMO the existing name run_as (the user that the process runs as) is a better choice than user_context. If you want to have the user in the attribute name, then we should rename run_as and run_as_user.

Using the context word in an attribute name could be confusing -- there is a group called Context. The main user is in the Context group, and now we are adding a second context user?

rroupski avatar Oct 13 '22 16:10 rroupski

I'm in agreement actually about just using user, that is clear to me that it's the user context under which the process is running. The run_as suggests impersonation (from the Windows world) which we don't want. @paveljos and @AWSSecEng you both had concerns about using user as the name. Do you think the ambiguity concern could be mitigated by an appropriate caption and description instead of creating a new object?

jp-harvey avatar Oct 13 '22 17:10 jp-harvey

Yes, both, caption and description, could be changed to better describe the attribute

rroupski avatar Oct 13 '22 17:10 rroupski

@rroupski as per our discussion today the field name in the process object has been updated to user

jp-harvey avatar Oct 19 '22 22:10 jp-harvey