Permissions management question

tatooin · January 6, 2022, 10:13am

Hello,

I have a group of users, members of a group named “Tests” which I would like them to be able to create objects (tasks, targets, etc…) available for the whole group Tests. Eg; User1 create a task named Task1; which needs to be available at least read only to all member of group Tests. Simple question, after all.

Currently, if user Test1 try to add a new permission (allowing members of group Tests read access) to an object he just created; he get an error saying “Given subject_id was invalid”. And obviously, other members of his group don’t see it.

What is the proper way to manage permissions in this scenario ?

Any input would help.
Thank you !

Tino · January 6, 2022, 2:21pm

What’s your workflow to create said permission? Do you use GSA? If so, does the following workflow get you the “Given subject_id was invalid” error?

Open permission view of Task1
GSA > Scans > Tasks > Task1 > Magnifier > Permissions
Klick on the “New Permission” action to the right.
Create a read permission for group “Tests” with all related objects

tatooin · January 6, 2022, 4:15pm

Hi Tino,

I’m using GSA indeed. The workflow you describe works if I do it using my admin account. But as long as a user, member of group Tests, do the same for his tasks, he will get the Given subject_id invalid error.

Steffen · January 7, 2022, 12:53pm

Hi tatooin,

an admin user can create role permissions for a task. A user with the “user” role, however can’t, because the options in the ‘Create Permission’ dialog to select users, roles, or groups are missing and therefore an undefined subject_id is sent.
I admit that the UX in this case needs some work, but the behavior is correct. That is due to the reason that a normal “user” user doesn’t have access to other users, roles, or groups, and so the dialog options are not shown.
You should be able to overcome this problem by giving the user-role the get_groups permission, if that is something that fits your permission- and security-scheme.

tatooin · January 7, 2022, 1:32pm

Nope; I thought this also so I gave the user various permissions including get_roles, etc… but this doesn’t help. The error remains the same.

Steffen · January 7, 2022, 2:08pm

Do you see the options in the dialog and are you able to select the “Tests” group? If the options are visible and the “Tests” group is by any chance the default group that is shown, please try to select another group first and change back to “Tests” before clicking “Save”. Maybe the group is listed and displayed correctly, but the id is not properly saved in the dialog state…

tatooin · January 7, 2022, 6:37pm

Nope either. The user isn’t able to select any group. The only available dropboxes are read/write permissions and “including related ressources”

tatooin · January 8, 2022, 10:37am

I forgot to mention; I’m using GSA 21.4.3

Steffen · January 11, 2022, 7:56am

If the options are completely missing, there are problems with the get_roles, get_users, and get_groups permissions. At least, those are used in the dialog to show the drop downs only if granted.

Could you double check if the user in question has those permissions? Also try to grant them for a single user or for groups/roles. Maybe there is a bug, when assigning permissions to, say, users, but it would work for roles. This way we could at least rule that out.

tatooin · January 11, 2022, 10:13am

Seems like it’s a bug; because granting those permissions to the group fix the problem. So giving the permissions to the user himself will do nothing, you need to also give it to the user group.

The permission model in Greenbone seems very experimental at this point.
At least it fix my issue now. Thanks for your help !