ACCESS_MANAGEMENT permission enables user to view all projects

[Strakeln]

Current Behavior

If a user or a team is granted ACCESS_MANAGEMENT permission, they are able to view all projects, even if their VIEW_PORTFOLIO permission is scoped (via team+portfolio access control) only to specific projects.

It's very possible that this is intentional/expected behavior, given that access management is a system-wide permission and not available on a per-project basis. And I certainly note that Portfolio Access Control is in beta.

Steps to Reproduce

1. Login with admin credentials
2. Create a new user
3. Create a new team
4. Assign new user to new team
5. Enable Portfolio Access Control in admin panel
6. Grant VIEW_PORTFOLIO and ACCESS_MANAGEMENT permissions to the new team
7. Restrict new team to some subset of projects
8. Logout
9. Login with new user credentials
10. Navigate to Projects
11. Note that all projects are visible

Expected Behavior

If the same reproduction steps from above are followed, but without granting ACCESS_MANAGEMENT permission in step 6, then the projects the user can see are limited to the projects assigned to the team. This was my expectation for the same user with ACCESS_MANAGEMENT permission granted. That said, given that ACCESS_MANAGEMENT is a system-wide permission, it's very possible that the current behavior is what is intended.

Hyades Version

hyades-api-server:main-5.6.0-snapshot
hyades-frontend:main-5.5.0
mirror-service:main-0.6.0-snapshot-native
notification-publisher:main-0.6.0-snapshot-native
repository-meta-analyzer:main-0.6.0-snapshot-native
vulnerability-analyzer:main-0.6.0-snapshot-native

Repository Type

N/A

Browser

Mozilla Firefox

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Indeed this behavior is intended. Reason being that, with the ACCESS_MANAGEMENT permission, you could just assign any permission and any project to yourself that you desire.

Restricting the projects users with ACCESS_MANAGEMENT can see would be like locking 3 out of 5 doors, but then giving them the master key that can unlock all doors anyway.

That being said, if you have input as to how you would want this to work, we would most certainly like to hear that!

[Strakeln]

Makes complete sense to me. As you point out, there's no point in locking doors to keep someone with the master key out.

Instituting the desired behavior - access management restricted to specific projects - requires introducing the ability to manage access on a per-project level, which is no small change. My team will be looking into how we might implement such a change and whether it is something we really need/want. If we do go down that path, we'll discuss it here and submit a PR for consideration.

Apologies for making a defect that should have been a question. It straddled the line, so I defaulted to defect.

[nscuro]

No worries at all!

You are also not alone in wanting more fine grained ACLs, see #1075 and #1406. A PR with initial work was already contributed by @zprebosnyak-lm: DependencyTrack/hyades-apiserver#800