You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When interacting with the ReviewAccessRequest RPC and my identity is in a state of role impersonation, whether or not I am able to review a request should be based on the roles I have impersonated rather than the roles my user directly holds.
Current behavior:
The ReviewAccessRequest RPC fetches the users roles and evaluates based on those rather than the roles currently associared with the identity. This prevents Machine ID bot credentials from being able to review access requests as part of our plugins.
Suggested fix:
Following discussion, we will add support for evaluating role impersonation correctly. The code will ensure that the impersonated roles are a subset of the users impersonatable roles - this prevents recursive impersonation via access requests.
The text was updated successfully, but these errors were encountered:
Expected behavior:
When interacting with the ReviewAccessRequest RPC and my identity is in a state of role impersonation, whether or not I am able to review a request should be based on the roles I have impersonated rather than the roles my user directly holds.
Current behavior:
The ReviewAccessRequest RPC fetches the users roles and evaluates based on those rather than the roles currently associared with the identity. This prevents Machine ID bot credentials from being able to review access requests as part of our plugins.
Suggested fix:
Following discussion, we will add support for evaluating role impersonation correctly. The code will ensure that the impersonated roles are a subset of the users impersonatable roles - this prevents recursive impersonation via access requests.
The text was updated successfully, but these errors were encountered: