Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AAD provider Get-PrivilegedUser function assigns duplicate role names to a user in the provider JSON in some cases #703

Closed
tkol2022 opened this issue Dec 6, 2023 · 3 comments · Fixed by #794
Closed

AAD provider Get-PrivilegedUser function assigns duplicate role names to a user in the provider JSON in some cases #703

tkol2022 opened this issue Dec 6, 2023 · 3 comments · Fixed by #794
Assignees
@tkol2022
Labels
bug This issue or pull request addresses broken functionality
Milestone
Flipper

Comments

@tkol2022
Copy link
Collaborator

tkol2022 commented Dec 6, 2023
edited
Loading

🐛 Summary

The AAD Powershell provider contains a function named Get-PrivilegedUser which creates an hashtable of privileged users and their respective roles. This gets placed into a JSON element named privileged_users. When I ran against Test Tenant 3 (E5) I noticed that a couple of the users in that JSON element had a duplicate role SharePoint Administrator. I would expect to see a specific role listed only once for each user.

There are a couple of cases that seem to cause this to occur:

  1. The duplicate assignment is being listed in the JSON for the respective users because they are assigned to a privileged role as both Eligible and as Active at the same time.
  2. The problem also occurs when a user is directly assigned to a role and the user is a member of a group that is assigned to the role at the same time. See Get-PrivilegedUsers in the AAD Provider is collecting duplicate user role values. #221 as previously reported for this scenario.

The problem is not specific to Sharepoint Administrator - the same problem occurs for other roles based on my testing.

Examine the provider settings export JSON file below and observe that some of the users have the Sharepoint Admin role listed twice.
image

To reproduce

Re-create the conditions which cause the problem as documented above.

  1. For scenario 1, designate a specific user as the test case and then assign that user to a privileged role (e.g. Sharepoint Administrator) as both Active and Eligible in PIM.
  2. For scenario 2, assign a user directly to a role and also assign them to a role via group membership (i.e. assign their group to the role).
  3. Run the AAD provider against the test tenant and you should observe the role listed twice in the privileged_users hashtable.
@tkol2022 tkol2022 added the bug This issue or pull request addresses broken functionality label Dec 6, 2023
@tkol2022
Copy link
Collaborator Author

tkol2022 commented Dec 6, 2023

I placed a priority of Low for this issue because my guess is that it is not creating any incorrect policy evaluations in the Rego, however I can't be sure of that.

@buidav
Copy link
Collaborator

buidav commented Dec 6, 2023

Yup noticed this with #221. This happens when the user is in a role and a group.

@tkol2022 tkol2022 mentioned this issue Dec 7, 2023
Closed
@schrolla schrolla added this to the Backlog milestone Dec 11, 2023
@tkol2022
Copy link
Collaborator Author

Reviewed 12/14

I put a size of medium based on my guess of the testing complexity necessary to generate the required input data scenarios.

@tkol2022 tkol2022 self-assigned this Jan 11, 2024
@tkol2022 tkol2022 modified the milestones: Backlog, Flipper Jan 11, 2024
@tkol2022 tkol2022 mentioned this issue Jan 11, 2024
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tkol2022 tkol2022

Labels
bug This issue or pull request addresses broken functionality
Projects
None yet
Milestone
Flipper
Development

Successfully merging a pull request may close this issue.

Add PIM for groups support to AAD provider cisagov/ScubaGear
3 participants
@buidav @tkol2022 @schrolla