user realm does not work with action auditlog #663
Comments
cornelinux
added
Type: Bug
|
In fact it works as designed. The help desk user should only see audit logs from realms, which he is allowed to manage. I.e. the help desk user has token rights. And realms which occur in the token policies should be visible I the audit log. |
|
We need to create an overlay filter on the search in the search_dict. An administrator might be allowed to view entries from realmA and realmB and Users. Thus we should show him entries containing realmA or realmB or Users. But the admin may also filter on the realm like "filter for: realm*". Then we need to show hin realmA and realmB, not "Users". Thus the search_dict needs to be extended with some kind of "allowed_realm" and "allowed_resolver". Thus the search condition will be constructed as A decorator should add the necessary parameters in the search_dict, in Audit.search. Here |
cornelinux
added
the
Type: Enhancement
Please think about and cover the following questions:
Versions
privacyIDEA: 2.18
What did you try to do?
Restrict the auditlog for helpdesk users.
A helpdesk user (admin_realm) was supposed to only see audit entries for certain user realms.
Thus defining a policy
scope=admin
action=auditlog
admin_realm=helpdesk
realm=user_realm
What outcome did you expect?
Helpdesk user should only see audit entries with realm=user_realm.
What outcome did you experience?
Helpdesk user can not see auditlog at all.
Conclusion
Obviously the decorator at this place:
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/api/lib/prepolicy.py#L763
does not work for action auditlog this way.
Workaround
Do not use user_realm with action auditlog.
Define a second policy if needed.
The text was updated successfully, but these errors were encountered: