Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add code to AAD provider and Rego for 7.6 through 7.9 to support PIM for Groups #919

Closed
5 tasks
tkol2022 opened this issue Feb 16, 2024 · 0 comments · Fixed by #945
Closed
5 tasks

Add code to AAD provider and Rego for 7.6 through 7.9 to support PIM for Groups #919

tkol2022 opened this issue Feb 16, 2024 · 0 comments · Fixed by #945
Assignees
@tkol2022
Labels
enhancement This issue or pull request will add new or improve existing functionality
Milestone
Glacier

Comments

@tkol2022
Copy link
Collaborator

tkol2022 commented Feb 16, 2024
edited
Loading

💡 Summary

Based on the prototyping performed for #792 we need to augment the existing AAD provider to extract the PIM for Groups configuration settings to support policies 7.6 through 7.9. Augment the Rego code to include the PIM for Groups configuration data in the policy evaluations.

Implementation notes

Add code to the AAD provider Get-PrivilegedRole function:

  • Whenever a group is found in the loop that iterates all the Active role assignments, check if that group is enrolled in PIM for Groups
  • If the group is enrolled, then grab its configuration settings from PIM for Groups (get the "Member" config settings not the Owner)
  • Leave the current code that grabs the configuration settings for the roles as-is. We still need to get the config data for the roles.
  • Add code to load the PIM for Groups configurations into the JSON that is sent to the Rego. Each role can have one or more group configurations.

Add code to the AAD Rego for policies 7.6 through 7.9:

  • In addition to checking the configurations for each role, the policies need to examine the configurations at the group level. For a policy to be compliant (Pass), the role configurations AND the group configurations must be compliant with the baseline policy.

*Note that in this new JSON structure that includes the PIM for Groups configurations, each role can have one more more group configurations associated with it.
@tkol2022 tkol2022 added the enhancement This issue or pull request will add new or improve existing functionality label Feb 16, 2024
This was referenced Feb 19, 2024
Closed
Closed
@crutchfield crutchfield added this to the Glacier milestone Feb 22, 2024
@crutchfield crutchfield mentioned this issue Feb 28, 2024
Merged
20 tasks
@crutchfield crutchfield linked a pull request Feb 28, 2024 that will close this issue
Add code to AAD provider and REGO for 7.6 through 7.9 to support PIM for Groups #945
Merged
20 tasks
@crutchfield crutchfield assigned tkol2022 and unassigned crutchfield Mar 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tkol2022 tkol2022

Labels
enhancement This issue or pull request will add new or improve existing functionality
Projects
None yet
Milestone
Glacier
Development

Successfully merging a pull request may close this issue.

Add code to AAD provider and REGO for 7.6 through 7.9 to support PIM for Groups cisagov/ScubaGear
2 participants
@crutchfield @tkol2022