GavinFrazar
commented
1 year ago @zmb3 this would've been pretty handy for that dynamic labels bug
Open klizhentas opened 4 years ago
GavinFrazar
commented
1 year ago @zmb3 this would've been pretty handy for that dynamic labels bug
zmb3
commented
1 year ago @GavinFrazar I'm not sure I follow. This issue is about making it clear why access is denied. The labels issue you refer to never denied access.
GavinFrazar
commented
1 year ago access was denied because the dynamic labels weren't populated properly, so we would've seen the dynamic label key with an empty value
When users get access denied, administrators and users have no tools to troubleshoot what happened. Currently we recommend turning on debug logging to see detailed reason on why the role blocked the access.
Instead, we should, return tracing information from role access denied message from roles:
developerdid not match labelsenv: produserdid not match traits ...And attach this information to the audit event
Return the event id in the access denied:
access denied, contact system administrator with code a27dab26-e007-4c37-b266-fe842d63f7ffSystem administrators, can find the event in the database by id and see the detailed reason why the trace has failed. Note that this should not impact the performance too much, so no allocations should be done on happy path.