Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User groups (multi-tenancy) #103

Open
ghost opened this Issue Jan 25, 2017 · 21 comments

Comments

Projects
None yet
@ghost
Copy link

ghost commented Jan 25, 2017

Request Type

Feature Request

Work Environment

| OS version (server) | Ubuntu
| TheHive version / git hash | 2.9.1

Problem Description

I would like to ask for the possibility to let a user (or a group of users) to access only cases with a set of given tags.
For example, a user "X" shall be allowed to see (and modify) only cases with tag "Y", "Z"
Thank you

@nadouani nadouani modified the milestone: 3.0.0 Mar 30, 2017

@3c7

This comment has been minimized.

Copy link
Member

3c7 commented Apr 11, 2017

It could be useful to restrict analyzer access, too.

@MariasStory

This comment has been minimized.

Copy link

MariasStory commented May 16, 2017

Hi, I do not really get the tags idea.
Who will be settings the tags?

From my original request:
Is there a way to get users permissions organized in groups comparable to MISP - organizations based?
Is there a user groups management concept?
Is there a case integrity concept? Limited access to the tickets that owned by one group from another and notification of the ticket author about changes to the ticket from another investigator.

@3c7

This comment has been minimized.

Copy link
Member

3c7 commented May 16, 2017

@MariasStory this is not implemented, yet. So currently there's no way to restrict access to specific cases etc.

@saadkadhi

This comment has been minimized.

Copy link
Contributor

saadkadhi commented May 16, 2017

Here is my comment on #162:

We are against creating yet another level below the case level. Instead, we'd study adding custom tags according to a taxonomy that would allow you to achieve the same results. For example shared:all, shared:groupX, ...

As for user/roles, that won't come before 3.0 slated for Q4 2017. We'll track this in #103.

So @MariasStory:

  • Who will be settings the tags? You, according to your needs, using a taxonomy (see above).
  • Is there a way to get users permissions organized in groups comparable to MISP - organizations based? We have no current plans of using MISP-like organizations to share cases between two or more TheHive instances. However, if the goal is to solely manage case access per user/group, then this is a feature slated for 3.0 slated for Q4 2017.
  • Is there a user groups management concept? No. That will come with 3.0.
  • Is there a case integrity concept? Limited access to the tickets that owned by one group from another and notification of the ticket author about changes to the ticket from another investigator. Besides the real-time stream, there's an audit trail that will let you see every action ever made to TheHive. Admittedly, it is not easy to query and read for the layman so we will be providing an easy way to query and monitor it.
@MariasStory

This comment has been minimized.

Copy link

MariasStory commented May 16, 2017

Hi @3c7 I kind of got this idea. From what I see is that the project is over-complicated and over-planned. The use of Scala requires compilation, that is (in contrast to node.js/python in worse case php) limiting factor for effective collaboration in development and fast patching.
I would not mind, if this would be a mature solution and there was a question of adding simple/convenience feature. In this case, we are implementing the solution on a large scale. We would not mind professional support, but it should be a responsive and open-minded team able to implement features as needed.

Don't get me wrong, I do appreciate the effort and willing to help.

At the moment, I suggest to have the integrity checks and make the development as dynamic as possible. Don't wait till Q4. Ask for help, if you need it, and get it done.

There is a big potential in the solution and at worst the active developers may get a good position with this experience. Make this project great and bring it to industry.

I suggest to get example from Radare2 community. They solve problems over night and their builds never break.

I am sorry to waist my time for writing this comment, I would prefer give you ready solution. This, on another hand would mean to much effort from my side with the current configuration.

Please, make a list of tasks that have to be done and try to subdivide the tasks as granular as it can be done. Try to involve as many programmers/supporters as you can and get this project going.

Is there something that I miss?

@saadkadhi

This comment has been minimized.

Copy link
Contributor

saadkadhi commented May 16, 2017

Hi @MariasStory. I am sorry to learn that you find our project over-complicated and over-planned. We are striving to make rock-solid products that may match if not surpass some commercial alternatives that cost 80K€+ a year.

We have chosen Scala for the back-end for many reasons and we do not intend to use node.js/python or PHP anytime soon.

While implementing user/group management might seem to you an easy feature, we think otherwise and we have a clear vision of where we are going with the product while listening, as we have shown many times, to our user community requests. Nonetheless, if you'd like to contribute, please feel free to do so. That being said, we'd prefer security professionals to concentrate on bringing real value to the community by contributing analyzers, which they can write in any programming language supported by Linux.

Since you've mentioned professional support (which comes at a cost), please do not hesitate to contact us on support at thehive-project dot org if you have business in mind.

If you still feel unsatisfied, and as much as we'd like to see our products used as widely as possible to help bring a dent into cybercrime, please do not hesitate to look for commercial or open source alternatives that better suit your needs.

Regards,

@mthlvt

This comment has been minimized.

Copy link

mthlvt commented Aug 7, 2017

I also would be very happy to be able to control access to certain cases.

Do you think deadbolt could be a good candidate solution to implement it?

Best regards,

@saadkadhi

This comment has been minimized.

Copy link
Contributor

saadkadhi commented Nov 12, 2017

Updating my comment below:

  • Is there a user groups management concept? No. That will come with 4.2 and not 3.0 as initially planned. That being said, we'll strive to make it happen earlier.
@saadkadhi

This comment has been minimized.

Copy link
Contributor

saadkadhi commented Nov 15, 2017

Update: we have decided to make this happen sooner than later. It is now scheduled for 3.1 (Cerana 1) due sometime in April 2018.

@0xmilkmix

This comment has been minimized.

Copy link

0xmilkmix commented Feb 12, 2018

Hello,

My 2cts on implementing it using tags: this would indeed automate the tagging from alerts when they are create by hive4py but this could be prone to errors (ex: case is related to team1 but concerns a project which also appears to be team2's name).

Would it be possible to use a dedicated field like like "group" or "tenant" to handle this and be able to set this field in alerts from the API and propagate it to cases?

Thank you

@This-will-be-your-username

This comment has been minimized.

Copy link

This-will-be-your-username commented Jun 13, 2018

Just curious if there's been any progress on this particular feature. I've been eyeing this product for our team, however lack of case specific permissions is a non-starter for us to pick up this product.

@saadkadhi

This comment has been minimized.

Copy link
Contributor

saadkadhi commented Jun 13, 2018

Still on track for Cerana 1 (3.1), initially planned TBR Apr 2018 and delayed to July 2018.

@saadkadhi saadkadhi removed this from the 3.1.0 (Cerana 1) milestone Jun 13, 2018

@saadkadhi saadkadhi changed the title User permissions User groups (multi-tenancy) Jun 13, 2018

@saadkadhi saadkadhi added this to the 3.2.0 (Cerana 2) milestone Jun 13, 2018

@saadkadhi

This comment has been minimized.

Copy link
Contributor

saadkadhi commented Jun 13, 2018

The feature is more complex to implement than initially thought. We will explain how is it so in a blog post pretty soon so you can understand why it was delayed to Cerana 2 (TheHive 3.2.0). Once the blog post is online, feel free to contact us if you are able to help. I will add the link as a comment to this issue.

@lokuhetty

This comment has been minimized.

Copy link

lokuhetty commented Jul 31, 2018

I have seen that Cerana 2 Beta is announced. Any idea on this specific feature. I'm on the edge of migrating all my archived Cases to this and Just waiting for this feature. BTW thanks a lot guys for an amazing product.

@aaronmartin1651

This comment has been minimized.

Copy link

aaronmartin1651 commented Aug 14, 2018

I would be very interested on the current status and potential release date of this feature. We are considering which IRP to use and we like the product but the ability to restrict access is a deciding factor for us.

@3c7

This comment has been minimized.

Copy link
Member

3c7 commented Aug 14, 2018

There's also a blog post (https://blog.thehive-project.org/2018/06/27/the-mind-boggling-implications-of-multi-tenancy/) explaining why it's complicated to implement. Howewer, it's announced for October 2018 at the moment.

@kara-1234

This comment has been minimized.

Copy link

kara-1234 commented Aug 14, 2018

+1 cannot wait for this feature to come!

@Kuvaldich

This comment has been minimized.

Copy link

Kuvaldich commented Oct 5, 2018

Guys, do you have any info on the feature realization?

@To-om To-om removed this from the 3.2.0 (Cerana 2) milestone Oct 15, 2018

@sammen89

This comment has been minimized.

Copy link

sammen89 commented Oct 19, 2018

Saad,

I'm excited about multi-tenancy (RBAC) on theHive! Should be later this month right?

@saadkadhi

This comment has been minimized.

Copy link
Contributor

saadkadhi commented Oct 19, 2018

Nope this feature has been delayed to next year. It requires heavy lifting and we only have so much dev time.

@cvdsouza

This comment has been minimized.

Copy link

cvdsouza commented Feb 2, 2019

Hey Saad and team,
Just checking here, is RBAC slated for any particular version of theHive this year ? ( understand that this is heavy dev, hence just checking to see if it's still on the roadmap) .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.