user realm does not work with action auditlog #663
Labels
Topic: Audit
Issues concerning the Audit-log
Topic: Policy
in regards to event handler modules and events (can be function, DB or UI)
Type: Enhancement
Not a complete new functional component/feature but an enhancement of an already existing feature.
Type: Known issue
Something that does not work like *some* people would expect
Milestone
Please think about and cover the following questions:
Versions
privacyIDEA: 2.18
What did you try to do?
Restrict the auditlog for helpdesk users.
A helpdesk user (admin_realm) was supposed to only see audit entries for certain user realms.
Thus defining a policy
scope=admin
action=auditlog
admin_realm=helpdesk
realm=user_realm
What outcome did you expect?
Helpdesk user should only see audit entries with realm=user_realm.
What outcome did you experience?
Helpdesk user can not see auditlog at all.
Conclusion
Obviously the decorator at this place:
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/api/lib/prepolicy.py#L763
does not work for action auditlog this way.
Workaround
Do not use user_realm with action auditlog.
Define a second policy if needed.
The text was updated successfully, but these errors were encountered: