Granular dynamic access rules

seknox / trasa

Zero Trust Service Access

https://www.trasa.io

Mozilla Public License 2.0

383 stars 71 forks source link

Granular dynamic access rules #258

Closed bhrg3se closed 3 years ago

bhrg3se commented 3 years ago

closes #251 closes #175

flyinghermit commented 3 years ago

Since this will change the underlying dynamic access process and can break the existing workflow, care to explain:

How is this feature implemented?
What is changed or is the same from the previous codebase?

bhrg3se commented 3 years ago

Now admin can set different policies for each group.
Now admin can set the IDP name as a group name to create a dynamic access rule.
Dynamic access used to be permanent i.e permanent access map used to be created. Now, access-map is not created when a user tries to use an unassigned service. So if a user is removed from dynamic access group, s/he cannot access the service.

bhrg3se commented 3 years ago

New database table dynamic_access(rule_id,policy_id,group_name) is added. It will store dynamic access rules for each group/IDP. The dynamic settings enabled status is still in global_settings table.