Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
admin/fine-grained-permissions
Describe the bug
I'm trying to implement the following permission scheme:
- We have two groups
/Root/group1and/Root/group2 - We have two admin groups
/Admins/group1and/Admins/group2 - Each admin group should be able to manage the membership for their corresponding group, so e.g.
/Admin/group1should be able to manage the membership for/Root/group1
I created three group policies:
Admins: applies to/Adminsand extends to childrengroup1/group2apply to their respective/Admins/groupXgroup
Then I created four permissions:
View users and manage group membership: This should allow all members in the admins group to view and manage the group membership for all users.- User policy
- Scopes:
manage-group-membership,view - Enforces access to: All users
- Policy:
Admins
View groups and members: This should allow all members in the admins group to view all groups and their members- Group policy
- Scopes:
view,view-members - Enforce access to: All Groups
- Policies:
Admins
- One permission for each of
group1andgroup2which should allow members of their admin group to manage the membership for the specific group:- Group Policy
- Scopes:
manage-membership - Enforce access to:
/Root/group1 - Policies:
group1
Finally, I have three users:
usera: member of/Admins/group1userb: member of/Root/group2userc: member of no group
If we now evaluate the permissions of usera we get:
- They can
viewandview-memberson/Root/group1and/Root/group2 - They can
manage-membershipon/Root/group1 - They can
viewandmanage-group-membershipofuserc
However, usera cannot do anything on userb, not even view them. The permission evaluation says that the manage membership of group2 permission voted DENY, which I find odd.
Apparently, the fact that userb is part of the /Root/group2 group disallows usera to view them.
Version
26.3.0
Regression
- The issue is a regression
Expected behavior
I would expect that the group permission for /Root/group2 operates on the group object, and as expected usera cannot manage the membership for group2. I wouldn't expect that this would have an effect on whether or not usera can e.g. view userb.
Actual behavior
The group permission influences whether usera can view userb because userb is part of the group allowed by the permission.
How to Reproduce?
-
Use the realm export realm-export-permissions-demo.json to import the realm.
-
Create three users
usera,userb,userc. -
Assign
userato group/Admins/group1. -
Assign
userbto group/Root/group2. -
In the permissions evaluation tab, evaluate
useraonUsersresource type for useruserband see that all scopes are denied. -
Evaluate the same but this time for users
usercinstead ofuserband see thatviewandmanage-group-membershipare allowed.
Anything else?
No response