You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Previously VariableEdit permission were not checked when editing tenant variable, this was fixed in version 2018.4.6, here is the related issue #4474
Problem
If the team the user belongs to scoped to Project, Environment or Project Group, user loses the ability modify the Common Variables of a tenant.
Why
A tenant can have 2 types of variables, Project Variables and Common Variables.
Project Variables only affect the current editing project and environment
Common Variables affect all projects and environments that the tenant connected to, so any changes to the Common Variables will affect projects and environment even the user is not scoped to, this open a security hole. (Note: we fixed this problem in 2018.4.7)
Proposed Solution
We could compare the scopes of the team to all the projects and environments that the tenant connected to. Modification to a Common Variable should be allowed when all of its projects and environments are within the team scopes.
Case 1
Team scope: Projects-1, Environments-1
Tenant connection: Projects-1, Environments-1
Common variable modification: Allow
Case 2
Team scope: Projects-1, Environments-1
Tenant connection: Projects-1, Projects-2, Environments-1
Common variable modification: Deny, as Projects-2 is not in scope
Case 3
Team scope: Projects-1
Tenant connection: Projects-1, Environments-1, Environments-2
Common variable modification: Allow
Case 4
Team scope: Environments-1
Tenant connection: Projects-1, Environments-1
Common variable modification: Allow
Case 5
Team scope: Environments-1
Tenant connection: Projects-1, Environments-2
Common variable modification: Deny, Environments-2 is not in scope
Problem
The cases listed above can prevent user from editing a common variable if a new project or environment is connected to the tenant, but another user with enough permission could connect the tenant to another project and environment which implicitly inherited the variable value from the previous setting which was setup by an user who do not have permission to the new project or environment
The text was updated successfully, but these errors were encountered:
Release Note: Users can now modify tenant Common Variables if they have access to all projects and/or all environments this tenant is connected to with VariableEdit permission.
This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.
lockbot
locked as resolved and limited conversation to collaborators
Nov 23, 2018
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
History
Previously
VariableEdit
permission were not checked when editing tenant variable, this was fixed in version 2018.4.6, here is the related issue #4474Problem
If the team the user belongs to scoped to
Project
,Environment
orProject Group
, user loses the ability modify theCommon Variables
of a tenant.Why
A tenant can have 2 types of variables,
Project Variables
andCommon Variables
.Proposed Solution
We could compare the scopes of the team to all the projects and environments that the tenant connected to. Modification to a Common Variable should be allowed when all of its projects and environments are within the team scopes.
Case 1
Team scope: Projects-1, Environments-1
Tenant connection: Projects-1, Environments-1
Common variable modification: Allow
Case 2
Team scope: Projects-1, Environments-1
Tenant connection: Projects-1, Projects-2, Environments-1
Common variable modification: Deny, as Projects-2 is not in scope
Case 3
Team scope: Projects-1
Tenant connection: Projects-1, Environments-1, Environments-2
Common variable modification: Allow
Case 4
Team scope: Environments-1
Tenant connection: Projects-1, Environments-1
Common variable modification: Allow
Case 5
Team scope: Environments-1
Tenant connection: Projects-1, Environments-2
Common variable modification: Deny, Environments-2 is not in scope
Problem
The cases listed above can prevent user from editing a common variable if a new project or environment is connected to the tenant, but another user with enough permission could connect the tenant to another project and environment which implicitly inherited the variable value from the previous setting which was setup by an user who do not have permission to the new project or environment
The text was updated successfully, but these errors were encountered: