-
-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Portfolio Access Control - Part 2 #1127
Comments
Moving out a release to (hopefully) get feedback from the ACL logic introduced in v4.3. So far, no positive or negative feedback. |
I expect flexible permission configuration policies :)
|
First tests look good. I noticed, that if access control is enabled and a user has the PORTFOLIO_MANAGEMENT permission, they can create a new project but are not automatically added to its ACL and therefore cannot interact with it. I also think it would be useful to add a project owner. That project owner would then be given ACCESS_MANAGEMENT within the scope of their project as proposed by @nibiwodong . The initial project owner would be the creator of the project. |
I need devs to be able to edit missing license information to components. Apparently, this requires portfolio mgmt permissions, which in turn allow almost everything ... A fine grained control would be pretty much needed. |
Are there any plans to work on this issue in the near future? We're looking into using DependencyTrack but we need to be able to have a clear distinction between different teams and locations. The "Portfolio Access Control" currently facilitates this only partly because the ACLs aren't implemented within all resources. Especially the issues with metrics (#1682) is something that popups straight away once one start to work with "Portfolio Access Control". |
I made a specific issue for that 4092. |
We recently got a contribution to Hyades which "deconstructs" the existing permissions into separate CRUD permissions: DependencyTrack/hyades#1406 This allows assigning of Another contribution added the display of assigned teams to the Projects list: DependencyTrack/hyades#1435
I believe the only piece we're missing here is a clever SQL query to calculate Portfolio metrics on-the-fly, based on which projects the authenticated user has access to. In Hyades, metrics calculation was already moved to stored procedures. The calculation of portfolio metrics is here: https://github.com/DependencyTrack/hyades-apiserver/blob/e70776688f2040d0a521c3df9c2a856557e224b4/src/main/resources/migration/procedures/procedure_update-portfolio-metrics.sql#L41-L75 Perhaps it can act as a starting point for the mentioned ad-hoc query. The query needs to support arbitrary time ranges, since users will request portfolio metrics for the last X days, for example.
I'd like to mention that any new resources we add, both for DT v4.x and Hyades, have portfolio ACL in mind. For example in the recent work on tags (#3881, #3894, #3896, #3924). Contributions to address holes in existing endpoints would be highly appreciated. |
Ticket #140 describes the initial support for Portfolio ACLs (beta) and covers the majority of cases. However, there are known gaps and these gaps will be implemented in this ticket.
Known gaps include:
In addition, all resources where ACL logic is performed, should include a notification in the audit log for tracking purposes. This will be implemented as part of this enhancement.
The text was updated successfully, but these errors were encountered: