-
operation result scripting hook
-
expressions for allowed values
-
configurable expressions columns / containerable name column
-
filter expression in
PropertySearchItemWrapper
-
flexible label model
-
user display name from expression
-
ExpressionValidator
Security Improvements in 4.8
Since 4.8
This functionality is available since version 4.8.
|
- Authorization Configuration
- Changes
- Migration of the Authorizations
- Open Questions
- Value-Level Action Authorizations
- Embedding of Value-Level Authorization Selectors
- Level of Support for
searchContainers
andsearchReferences
Methods - Diagnostics Improvements
- Support for Specific Authorization Situations
- Expression Profiles, Task Templates
- RunAsRef vs RunPrivileged
- Other Considerations
- Unrelated/Unsorted Notes (not part of the meeting)
Authorization Configuration
Before 4.8, we could specify the authorization only at the level of an object. For example, the logged-in principal could see particular items of a given object, depending on its relation to it. Or, it could execute some operations on that object.
In 4.8, we need more. First of all, we need to be able to authorize operations on the level of individual items.
-
A user can see or complete case work items assigned to him.
-
A user can see or complete case work items assigned to people in organizations managed by him.
-
A user can see only closed (or not closed) case work items.
-
A user can only see other users' assignments to the roles he is an owner or approver of.
-
A user can only see other users'
roleMembershipRef
values related to the roles he is an owner of approver of.
Regarding certifications, things get even more complex:
-
A user can see certification cases related to people in organizations managed by him.
-
A user can see certification cases related to roles he is an owner or approver of.
-
A user can see or complete certification case work items assigned to him.
-
A user can see or complete certification case work items assigned to people in organizations managed by him.
-
A user can see only closed (or not closed) certification case work items.
We cannot guarantee all of the above scenarios to be implemented. We will provide more detailed analysis here later. |
Changes
-
The
assignee
clause now covers all assignees, not only assignees of open work items (commit c97e31dc).
Migration of the Authorizations
Please see Deprecated and Removed Authorizations more details.
Open Questions
Value-Level Action Authorizations
Currently, only the following authorizations are evaluated at sub-object level:
-
#read
(i.e.,#search
and#get
) -
#completeWorkItem
-
#delegateWorkItem
In particular, #add
, #modify
nor #delete
ones are ignored at this level.
Is it OK?
Or, should we implement that?
What will need to be resolved in that case, are relations to #assign
and #unassign
authorizations that would get an alternative representation of #add
and #delete
of AssignmentType
value in assignment
item.
The question is also whether we should apply sub-object authorizations when getEditObjectDefinition
is called.
Answer (28th June 2023)
We may look at this, but with a lower priority.
Embedding of Value-Level Authorization Selectors
Currently, the following inner value types are automatically attached to their parents:
-
AssignmentType
→AssignmentHolderType
:`assignment` -
CaseWorkItemType
→CaseType
:`workItem` -
AccessCertificationCaseType
→AccessCertificationCampaignType
:`case` -
AccessCertificationWorkItemType
→AccessCertificationCaseType
:`workItem` →AccessCertificationCampaignType
:`case/workItem`
I.e. if there is an authorization with a selector with type
= AccessCertificationCaseType
, it is automatically interpreted as if it had parent
selector of type
= AccessCertificationCampaignType
and path
= case
.
(See Specification#getCandidateAdjustments
and Specification.Adjustment
or their updates in current source code.)
Should we add another such auto-embedded cases?
Is the treatment of AssignmentType
ok?
(Or, should we add inducement
embedding for it?)
Should we analyze the original container query and derive the attachments from there?
Answer (28th June 2023)
We will not support such an automatic embedding. Each sub-object selector must be rooted in a prism object. (TODO implement this)
Level of Support for searchContainers
and searchReferences
Methods
The searchContainers
and countContainers
currently support the following types regarding security:
-
AccessCertificationCaseType
-
AccessCertificationWorkItemType
-
CaseWorkItemType
-
OperationExecutionType
-
AssignmentType
-
SimulationResultProcessedObjectType
Among them, AssignmentType
and SimulationResultProcessedObjectType
are excluded from post-processing (i.e. application of #get
authorizations on values returned by the search) because the repository does not return their parent objects.
Is that OK?
E.g., should we add support for AssignmentType
filtering?
What about searchReferences
?
In particular, do we plan to filter the metadata (accesses) content according to authorizations in 4.8?
If so, how?
Answer (28th June 2023)
We will have a look at both AssignmentType
post-processing (i.e. returning the parent from the repository) and the implementation for searchReference
- if the time permits.
Diagnostics Improvements
Are we going to somehow improve authorization diagnostics? The improvements in 4.8 tried to separate authorization and value selector evaluation logic from the diagnostic logging, in order to provide more flexibility in this area.
Should we provide alternative troubleshooting means in addition to existing one (i.e. by logging) ? For example, dumping the structured output into CSV? Or, integrating with the tracing?
Answer (27th June 2023)
The Authorization Playground page was created. It will be improved as the time permits.
Support for Specific Authorization Situations
The current authorization framework is quite general and flexible, but with many limitations restricting its practical use. What specific authorization scenarios should we support?
Answer (27th June 2023)
Engineers should create improvement issues what scenarios they need to handle.
Expression Profiles, Task Templates
Results of a design meeting (Katka, Rado, Pavol) on 11th of July 2023.
Main Use Cases
-
Allowing delegation of auto-assignment selectors/expressions to non-root users.
-
Allowing delegation of certain role management actions (involving editing of mappings) to non-root users. Especially for business roles.
-
Allowing GUI customizations using expressions - e.g. in custom columns, but also using other expressions.
-
Of course, continuing the support for expression in reports editable by non-root users.
-
Custom GUI actions for object lists (that use task templates) should be callable by non-privileged users, even if they utilize Groovy code - MID-6913/MID-7831.
The Solution
-
Selected expressions (mostly those mentioned in the use cases above) will run under defined expression profiles. These profiles will be derived typically from the archetype of the containing object (e.g., role).
-
User will have the authorization to edit (parts of) objects with given archetype. They will NOT have the authorization to edit other expressions.
What about Task Templates?
Building blocks of the solution:
-
Individual methods in function libraries could run under
runAsRef
/runPrivileged
regime. (Maybe they even can do now, as they are basically expressions.) -
Function libraries will be callable from bulk actions (maybe even expressions as such could be).
-
Bulk actions will execute under expression profiles as well.
-
Function libraries will be covered by expression profiles i.e. one will be able to specify which libraries/methods are callable under given profile.
-
Task template will provide a specific archetype that will be used to derive an expression profile for tasks derived from it. (These tasks will inherit the archetype on their creation.)
Determining Expression Profiles
-
Primarily based on hosting object’s archetype plus item path[1]. (At first, we use the structural archetype, because the composition of expression profiles is tricky. [2])
-
We may consider defining common profile for all GUI-related expressions, as they may reside on multitude of objects, e.g. even in user’s GUI config. Such configuration would be probably part of the system configuration object.
RunAsRef vs RunPrivileged
We create new configuration item, replacing runAsRef
. It can be called e.g. privileges
, and will cover the following:
-
runAsRef
- if we want to switch the principal (actor) identity -
runPrivileged
- if we want to switch only the authorizations - by default to full ones ("setuid bit"); later we may be able to define specific authorizations to be used
If this is used in a custom library, it should be 100% hack-proof. (Although, we may be able to restrict availability of such a method via expression profiles.)
Other Considerations
Authorization Roles with Conditions
These conditions may require authorizations, but these are not available at login.
The new runPrivileged
feature will resolve this.
Auditing
-
We certainly want to audit both original principal and the current actor (after one or more
runAsRef
directives). -
We also want to note when the privileges were messed with by the
runPrivileged
feature. Later, whenrunPrivileged
allows adding specific (not all) privileges, we may consider recording details about privilege enhancements.
GUI Tasks Authorization Requirements
Should we require any authorizations in order to invoke tasks from GUI? (Like for assignment/unassignment of role members?)
Currently, we require (rather weak) #executeScript
(now bulk-3#all
) authorization to run bulk actions.
In 4.8, we will continue requiring this; so the role owners will have to possess that authorization.
TODO ok?
Unrelated/Unsorted Notes (not part of the meeting)
Partial questions:
-
What about unusual places where expressions can be found? E.g.
-
expressions in explicit filters e.g. in search evaluators
-
expressions in (implicit) dynamic reference filters (import-time filters do not support expressions)
-
expressions in prism values e.g. configuration properties
-
any other places?
-
Filter/query expressions:
Class | Method | Note |
---|---|---|
|
TODO |
|
|
TODO |
|
|
TODO |
|
|
TODO |
|
|
TODO |
|
|
Works on |
|
|
The filter is created using some magic, see |
|
|
Again, evaluating filters on |
|
|
Resolving dynamic |
|
|
Resolving dynamic |
|
|
Resolving dynamic filters in policy constraints: |
|
|
Looking for task templates for "execute script" policy action execution. |
|
|
Filtering for assignments to be unassigned via bulk action. |
|
|
Resolving protected accounts patterns. |
|
|
Resolving filters in object selectors; currently used for linked objects (link source resolution). |
|
|
Resolving filters in authorizations. |
|
|
Resolves approver references from various sources (policy rules, system configuration, etc). |
|
|
Query playground in GUI |
|
|
Queries in search-based evaluators (they have their expression profile determined anyway). |
|
|
Traditional filter correlator (expression comes from resource but sometimes from system configuration). |
|
|
The |
|
|
Resolving expressions in search-based activities (many of them). |
|
|
Resolving base context in provisioning. |
Other places:
Component | Use |
---|---|
GUI |
|
Cases |
|
Certifications |
|
Expressions support |
Custom functions evaluation (two places): see |
Value policy processor |
both generating and validating values |
Dashboard service |
dashboard variation (condition) |
Object merger |
value expression |
Correlation |
|
Clockwork (privileged profile) |
|
Lens (various) |
|
Notifications |
|
Provisioning |
|
UCF |
|
Reports |
|
Workflows |
|
Interesting cases:
-
Expressions coming from various sources
-
correlators (resource, system configuration)
-
compiled collections/views
-
policy rules
-
approval schema fragments
-
?
-
How to Authorize Management of Template-Based Objects
There are objects that could be derived from templates (or super-objects): resources, archetypes, later maybe others. Do we need to specify authorization statements like:
-
You can create/modify only resources derived from given template?
-
You can/cannot create/modify resources derived from given template?