-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
admin/fine-grained-permissions
Describe the bug
I'm trying to implement the following permission scheme:
- We have two groups /Root/group1 and /Root/group2
- We have two admin groups /Admins/group1 and /Admins/group2
- Each admin group should be able to manage the membership for their corresponding group, so e.g. /Admin/group1 should be able to manage the membership for /Root/group1
I created three group policies:
- Admins: applies to /Admins and extends to children
- group1 / group2 apply to their respective /Admins/groupX group
Then I created four permissions:
- View users and manage group membership: This should allow all members in the admins group to view and manage the group membership for all users.
- User policy
- Scopes: manage-group-membership, view
- Enforces access to: All users
- Policy: Admins
- View groups and members: This should allow all members in the admins group to view all groups and their members
- Group policy
- Scopes: view, view-members
- Enforce access to: All Groups
- Policies: Admins
- One permission for each of group1 and group2 which should allow members of their admin group to manage the membership for the specific group:
- Group Policy
- Scopes: manage-membership
- Enforce access to: /Root/group1
- Policies: group1
Finally, I have three users:
- usera: member of /Admins/group1
- userb: member of /Root/group2
- userc: member of no group
If we now evaluate the permissions of usera we get:
- They can view and view-members on /Root/group1 and /Root/group2
- They can manage-membership on /Root/group1
- They can view and manage-group-membership of userc
However, usera cannot do anything on userb, not even view them. The permission evaluation says that the manage membership of group2 permission voted DENY, which I find odd.
Apparently, the fact that userb is part of the /Root/group2 group disallows usera to view them.
Version
26.3.0
Regression
[ ] The issue is a regression
Expected behavior
I would expect that the group permission for /Root/group2 operates on the group object, and as expected usera cannot manage the membership for group2. I wouldn't expect that this would have an effect on whether or not usera can e.g. view userb.
Actual behavior
The group permission influences whether usera can view userb because userb is part of the group allowed by the permission.
How to Reproduce?
1. Use the realm export realm-export-permissions-demo.json to import the realm.
2. Create three users usera, userb, userc.
3. Assign usera to group /Admins/group1.
4. Assign userb to group /Root/group2.
5. In the permissions evaluation tab, evaluate usera on Users resource type for user userb and see that all scopes are denied.
6. Evaluate the same but this time for users userc instead of userb and see that view and manage-group-membership are allowed.
Anything else?
No response
- links to
