I’m struggeling with the role-based permissions on the latest released of gvm-10 with GSA 8.0.1.
I managed to show all existing resources to all users by adding my admin user to a group called “All users” and grant the Super permission to this group. When I create a new user and add him to that group and to the role “Observer”, he’s able to see everything.
Now I want to create a new group or role and add the modify rights for some tasks and targets for this user. When I login with the second user, I’m still only able to see all tasks, but not to modify the special task.
Am I doing something wrong? I thought that I did everything like it’s described in the documentation…
All permissions come in two categories: as global permission and as specific permission. A user needs to have the global permission (either being given directly or by being assigned to a role or group associated with the user) to be able to use specific permissions for individual objects.
To check if a user has all permissions needed, log in as an admin and open the Permission tab of this users detailed user view:
Web GUI > Administration > Users > Name of the user > Permissions
Feel free to post a list of all permissions if you can’t find out what’s wrong.
So you mean, that I need to give that user/role e.g. the global modify_task permission so that I can then add a special permission modify_task for the task?
If I do that, the user has modify permissions on all tasks, as I gave them the Super permissions for the group “All users” where I added all users.
I did this because I wanted that all users can always see all objects and no one creates a second task/target/… that already exists. So all users are also member (except the Admin user) are also member of the role “Observer” so that they get the global get_* permissions.
Yes, that is correct.
In a super group all members have all specific permissions on all objects of the other users. If a user in this group lacks the global modify_task permission this stops him to execute any of the specific modify_task permissions he got by group membership. If this user gets the global modify_task permission, he will be able to modify all of the tasks the group shares.
Ok, got it. Could you please tell me what’s the correct way to achieve the following?
Members of a certain group/role should be able to see all objects, but should only be able to modify/delete objects (tasks/targets/alerts) that belong to their tasks.
And is it possible to add global permissions or are they statically linked to the pre-defined roles?
I’m sorry, I can’t think of a proper way to administer the users in such a way that they automatically get all objects of other group members, but can only edit their own objects.
For some clarity on why this doesn’t work, Super permission makes you effectively the owner of the resource(s) in question. If you have Super permission on some resource, gvmd acts as though you are the owner of the resource. This was introduced to support making one user a proxy for another (or a proxy for all users in a group/role).
The only thing that can prevent you from performing a particular action on a resource that you own, is if you do not have permission to run that action. For example if you are effectively the owner of a task then you can only run the task if you have the general start_task permission (a “start_task” permission without an associated resource).
