Open cd-rite opened 1 month ago
Grant = Collection + User/Group + Role (formerly Access Level)
- select any User Grant over any Group Grant(s).
- when User matched by multiple Groups, select Grant with highest priority Role. Apply role collision rule on ties.
- merge ACL resources and on Asset/STIG access collision select lowest access.
Role = Review ACL + Privileges + Priority
ACL = List of Rules
Rule = Resource (unique per list) + Access
- collection (all Assets and their mapped STIGs)
- asset (this Asset and its mapped STIGs)
- stig (this STIG and its mapped Assets)
- label (all Assets with this Label and their mapped STIGs)
- none (allowed for Restricted role only)
- read
- read/write
- the most specific resource is selected.
- lowest access is selected.
- modify
- delete
- create owner
- create non-owner
- modify owner
- modify non-owner
- delete owner
- delete non-owner
- create
- modify
- delete
- map
- unmap
- create
- modify
- delete
- map
- unmap
For the built-in Roles:
Priority | Role | Default ACL rule | Privileges: Collection | Privileges: Grant | Privileges: Asset | Privileges: Label | Privileges: STIG |
---|---|---|---|---|---|---|---|
4 | Owner | read/write | modify delete |
create owner, modify owner, delete owner, create non-owner, modify non-owner, delete non-owner |
create modify delete |
create modify delete map unmap |
map unmap |
3 | Manage | read/write | modify | create non-owner, modify non-owner, delete non-owner |
create modify delete |
create modify delete map unmap |
map unmap |
2 | Full | read/write | none | none | none | none | none |
1 | Restricted | none | none | none | none | none | none |
This issue is a WIP.
Collection Grants are being reimplemented. The reimplementation will more clearly distinguish Collection Privileges and Collection Access.
Collection Roles will enable sets of Collection Privileges, and have a default Access Control List. Access control lists will specify which Assets/STIGs a user has access to, with which privileges (R/RW/none).
More info here (will be moved to this issue soon): https://github.com/NUWCDIVNPT/stig-manager/issues/322#issuecomment-2110482330 (Read-Only Access) Additional feature requests that will be considered for this issue: https://github.com/NUWCDIVNPT/stig-manager/issues/849 (Consider adding accept/reject as an access level, rather than a collection-level privilege?) https://github.com/NUWCDIVNPT/stig-manager/issues/852 (Should be satisfied by user groups) https://github.com/NUWCDIVNPT/stig-manager/issues/729 ("dynamic" grants by label/asset/stig) https://github.com/NUWCDIVNPT/stig-manager/issues/1182 (user groups) https://github.com/NUWCDIVNPT/stig-manager/issues/863 (new ACL builder interface)
UI will require many changes. New reports and assignment interfaces. Assets/STIGs in Dashboard will probably need indicators to User indicating if they have R/RW/None access. Should accept/reject status be considered part of "access" rather than collection privilege?