Prisma Cloud: Feature flag to edit default and custom policies using custom permission groups
1544
Created On 11/06/23 22:09 PM - Last Modified 03/18/24 15:34 PM
Symptom
Users faced issues with current role-based access control (RBAC) implementation. Users are unable to modify/edit OOB policies, and custom policies created by another user with a different role.
Environment
- Prisma Cloud
- Settings
- Access Control
- Policies
- Settings
Cause
Let’s consider Role A as a role with custom permission group with permissions to edit policy:
Issue 1. When a user tries to edit Custom policies(created by Sys Admin and other roles) with Role A, they get an error.
Only the owner and users with the same role as the owner are allowed this operation. You do not have the permissions to update this. Only the owner and users with the same role as the owner are allowed this operation.
The existing behavior only allows the author of a custom policy + any peers in same role to edit policies.
Issue 2. User cannot edit Prisma Cloud Default policies with Role A. Only System Admins have access to modify/edit default policies.
Issue 3. With role A there are no action item options available for policy type IAM
Resolution
Current RBAC implementation performs steps below to grant user ability to policy actions:
- Does User Have access to modify a Policy - requires Policy Update permissions (driven by User's Role)?
- Is user trying to modify a policy which is fully owned (created) by their role?
- Allow modifying the policy
Additional Information
NOTE:
- Custom "permission groups" are not supported for IAM policies. (RFE has been submitted https://paloaltonetworkscloud.aha.io/ideas/ideas/PANW-I-5582?active_tab=idea_comments
- For Data policies, a user having Custom permission group with
Create policypermission andData Security ProfileViewpermission enabled can create a custom data policy. - Data policies can be modified by a user with Custom permission group. However, the edit option is not displayed in legacy UI, but is enabled in Darwin UI.