Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[api/frontend] Add organizations restrictions on top of markings to increase data segregation possibilities (#2188) #2317

Merged
merged 62 commits into from
Nov 15, 2022
Merged

[api/frontend] Add organizations restrictions on top of markings to increase data segregation possibilities (#2188) #2317

merged 62 commits into from
Nov 15, 2022

Conversation

richard-julien
Copy link
Member

No description provided.

@richard-julien richard-julien changed the title [api/front] Add groups restrictions on top of markings to increase data segregation possibilities #2188 [api/front] Add groups restrictions on top of markings to increase data segregation possibilities (#2188) Sep 1, 2022
@richard-julien richard-julien linked an issue Sep 1, 2022 that may be closed by this pull request
Add organizations restrictions on top of markings to increase data segregation possibilities #2188
Closed
@richard-julien richard-julien marked this pull request as draft September 1, 2022 19:29
@codecov
Copy link

codecov bot commented Sep 4, 2022
edited

Codecov Report

Base: 65.38% // Head: 64.77% // Decreases project coverage by -0.60% ⚠️

Coverage data is based on head (9165fb2) compared to base (88d8c0c).
Patch coverage: 47.09% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2317      +/-   ##
==========================================
- Coverage   65.38%   64.77%   -0.61%     
==========================================
  Files         262      265       +3     
  Lines       16406    16760     +354     
  Branches     3234     3329      +95     
==========================================
+ Hits        10727    10857     +130     
- Misses       5679     5903     +224
Impacted Files Coverage Δ
...pencti-platform/opencti-graphql/src/config/conf.js 73.55% <ø> (ø)
...cti-platform/opencti-graphql/src/database/utils.js 95.09% <0.00%> (-0.47%) ⬇️
...-platform/opencti-graphql/src/domain/enrichment.js 46.15% <ø> (ø)
...i-platform/opencti-graphql/src/domain/indicator.js 48.45% <ø> (ø)
...latform/opencti-graphql/src/domain/observedData.js 37.50% <ø> (ø)
...cti-platform/opencti-graphql/src/domain/opinion.js 65.21% <ø> (ø)
...ncti-platform/opencti-graphql/src/domain/report.js 76.08% <ø> (ø)
...encti-platform/opencti-graphql/src/domain/rules.ts 96.42% <ø> (ø)
...ncti-platform/opencti-graphql/src/domain/status.ts 45.71% <ø> (ø)
...opencti-graphql/src/domain/stixCoreRelationship.js 52.03% <ø> (ø)
... and 44 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@ckane
Copy link
Contributor

ckane commented Sep 5, 2022
edited

Curious if, overall, the proposed changes would allow me to mark an IP Address (or any other entity, but just pulling IP Addr as an example) such that it is:

  • TLP:AMBER+STRICT within my organization (as that might be what "internal restrictions" I might place on anything shared from an external source at TLP:GREEN with my org)
  • TLP:GREEN within "CTI sharing group 1", where someone might have shared it at TLP:GREEN level to me
  • TLP:RED within "CTI sharing group 2", where someone else might have independently shared it TLP:RED with my org as audience

@richard-julien
Copy link
Member Author

Curious if, overall, the proposed changes would allow me to mark an IP Address (or any other entity, but just pulling IP Addr as an example) such that it is:

  • TLP:AMBER+STRICT within my organization (as that might be what "internal restrictions" I might place on anything shared from an external source at TLP:GREEN with my org)
  • TLP:GREEN within "CTI sharing group 1", where someone might have shared it at TLP:GREEN level to me
  • TLP:RED within "CTI sharing group 2", where someone else might have independently shared it TLP:RED with my org as audience

To clarify a bit, its ongoing work, so need to re-define a bit the semantic :)

  • Group = a set of marking. User can be assigned to multiple groups and so get a combination of granted markings
  • Organization = company of a user. A user could be inside multiple organizations.
    So the PR is more about adding Organization restrictions in top of Group restrictions.

Organization restrictions is another level on top of markings. For me TLP:AMBER+STRICT is a first STIX approach of this problem because it means AMBER but for MY ORG only.
For info we decide to do like markings, no organization = all organizations

The big difference between groups and organizations is that group/markings are exclusive and organizations are inclusive
For example:
User definitions

  • USER01 is part of GROUP_GREEN (TLP:GREEN) - inside organizations COMPANY01
  • USER02 is part of GROUP_RED (TLP:RED) - inside organizations COMPANY01
  • USER03 is part of GROUP_GREEN (TLP:GREEN) - inside organizations RESTRICT

Data
Some use cases

  • IP adress 8.8.8.8 created with TLP:GREEN
    -> USER01, USER02 and USER03 and all have access.
  • IP adress 8.8.8.8 created with TLP:GREEN + COMPANY01 orga restrictions
    -> Only USER01 and USER02 have access.
  • IP adress 8.8.8.8 created with TLP:RED + COMPANY01 orga restrictions
    -> Only USER02 have access.

So for your "CTI sharing group 1" i think it will be modelize as an Organization (type circle/sharing) that will have some sub organizations for example COMPANY01 + COMPANY02. So if you add the orga restrictions to "CTI sharing group 1", both organizations will have access to the IP.

Hope this help to understand our vision on this subject. :)

@richard-julien richard-julien changed the title [api/front] Add groups restrictions on top of markings to increase data segregation possibilities (#2188) [api/front] Add organizations restrictions on top of markings to increase data segregation possibilities (#2188) Sep 5, 2022
@richard-julien richard-julien force-pushed the group_restrictions branch 2 times, most recently from 9808381 to 7891a6e Compare September 9, 2022 19:39
This was linked to issues Oct 3, 2022
Create/Update notes and opinions specifying author with a different user #2109
Closed
Finer access controls for Reports for feedback - Separate "Opinions" as a knowledge creation access control under roles. #2196
Closed
@richard-julien richard-julien force-pushed the group_restrictions branch 4 times, most recently from 15aa365 to 7ddb3b0 Compare October 15, 2022 08:18
@SamuelHassine SamuelHassine force-pushed the group_restrictions branch 2 times, most recently from d4a35af to c95dcb1 Compare October 24, 2022 20:16
@SamuelHassine
Copy link
Member

Good pour moi cette PR.

@SamuelHassine SamuelHassine mentioned this pull request Oct 27, 2022
Closed
SamuelHassine and others added 27 commits November 15, 2022 12:06
@SamuelHassine @richard-julien
[api] Fix the user edition
5746c5d
@SamuelHassine @richard-julien
[frontend] Enhance user form
5a498b1
@SamuelHassine @richard-julien
[frontend] Enhance user form
106fd42
@richard-julien
[api/front] Adapt stream update message / convert to pure function
1533fd6
@richard-julien
[api/front] Adapt cache & definition after master rebase
bf24d85
@richard-julien
[api] Remove double cache definition for settings
e53c225
@richard-julien
[front] Fix import for organization restriction usage
9a4712f
@SamuelHassine @richard-julien
[api/frontend] Enhance organization sharing on containers (#2188)
3a8e0b6
@SamuelHassine @richard-julien
[api/frontend] Fix unused import (#2188)
64cf080
@SamuelHassine @richard-julien
[api/frontend] Fix deepscan (#2188)
84d03e4
@SamuelHassine @richard-julien
[api] Redis conflict resolution (#2188)
5bfc3c2
@SamuelHassine @richard-julien
[api] Introduce share / unshare background tasks (#2188)
a1131f4
@SamuelHassine @richard-julien
[api] Enhance display of sharing organizations (#2188)
7252e8c
@richard-julien
[api/front] Adapt code after rebase
ee28fd6
@richard-julien
[api] Add empty option in buildCreateEvent
1b514fc
@richard-julien
[api] Fix deepscan issue
2fd058e
@richard-julien
[api] Add granted to check meta relationship function
39eef93
@richard-julien
[api] Global refactor on segregation sharing (#2188)
b045505
@richard-julien
[api] Adapt schema and behaviors after rebasing (#2188)
4315fa8
@richard-julien
[api] Adapt stix converter for latitude / longitude (#2188)
c364a7a
@richard-julien
[back] Add requirement definition for the new rule (#2188)
64bfef2
@richard-julien
[back] Fix rebase linting (#2188)
aa541c9
@richard-julien
[back] Add async call for elCount function (#2188)
d8692d3
@richard-julien
[back] Add context call for elCount functions (#2188)
299d4b3
@SamuelHassine @richard-julien
[frontend] Enhance share button everywhere
3e29f10
@SamuelHassine @richard-julien
[frontend] Allow sharing STIX relationship + enhance overview
590203f
@richard-julien
[api/front] Rebase adaptations
9165fb2
@richard-julien richard-julien merged commit 43e4e94 into master Nov 15, 2022
@richard-julien richard-julien deleted the group_restrictions branch November 15, 2022 12:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RomuDeuxfois RomuDeuxfois RomuDeuxfois left review comments

@SamuelHassine SamuelHassine SamuelHassine approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@richard-julien @ckane @SamuelHassine @RomuDeuxfois