Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Org segregation] Object not visible despite belonging to the correct organization #9078

Open
Lhorus6 opened this issue Nov 19, 2024 · 2 comments · May be fixed by #9558
Open

[Org segregation] Object not visible despite belonging to the correct organization #9078

Lhorus6 opened this issue Nov 19, 2024 · 2 comments · May be fixed by #9558
Assignees
@marieflorescontact
Labels
bug use for describing something not working as expected
Milestone
Bugs backlog

Comments

@Lhorus6
Copy link

Lhorus6 commented Nov 19, 2024

Description

Data sharing with organizations (i.e. organization segregation) does not take into account organizations added to the user by the inference engine.

Environment

OCTI 6.3.13

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create 3 Organization
    • "New org" organization
    • "Child" organization which is Child org of "New org" (i.e. create a relation "Child" -> part of -> "New org")
    • "Parent" organization which is Parent org of "New org" (i.e. create a relation "New org" -> part of -> "Parent")

Image

  1. Activated this inference rule

Image

  1. Create user A with read only capa (i.e. access knowledge) + all marking allowed + part of "New org". With the inference rule, you will have "Parent" org which will also be added automatically.

Image

  1. Create 3 Report
    • "Child" report, shared with "Child" org
    • "New org" report, shared with "New org" org
    • "Parent" report, shared with "Parent" org

Example
Image

  1. Log in with user A and see the list of accessible reports

Expected Output

As I am part of New org (manually added), and Parent (added by inference rule), I hope to see the "New org" and "Parent" reports.

Actual Output

I only see what is shared with "New org", not what is shared with "Parent".

Additional information

If I remove "New org" from the user A, "Parent" is also automatically removed (which is normal). If I now manually add "Parent", then "New org" (so both are added manually, and not thanks to the inference rule) I see the two expected reports. The problem therefore seems that the inferred membership is not taken into account in the segregation by organization.

Additional idea

Shouldn't we have an automatic mechanism (without the need for an inference rule)?

Example:

If I am part of "New org", I inherit from "Parent" (or "Child" I don't know). And so, even if I am not part of "Parent" (or "Child"), I still see the information shared with it.

It's an idea, I don't know if it's desired. But in any case this is currently not the case (you can redo the repro case of this issue, but without activating the inference rule, you will see)
@Lhorus6 Lhorus6 added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Nov 19, 2024
@Kedae Kedae removed the needs triage use to identify issue needing triage from Filigran Product team label Nov 20, 2024
@Kedae Kedae added this to the Bugs backlog milestone Nov 20, 2024
@marieflorescontact marieflorescontact self-assigned this Dec 16, 2024
@marieflorescontact
Copy link
Member

marieflorescontact commented Jan 6, 2025
edited
Loading

just to verify expected behavior @romain-filigran @richard-julien :
we want a user belonging to organization A to be able to access reports shared with A's parent organization when the inference rule is activated.:
Image

(=> I want to be sure that the expected behavior is the same for inferred relationships as for “non-inferred” relationships.)

@Lhorus6
Copy link
Author

Lhorus6 commented Jan 8, 2025

If you have the inference rule enabled, you are ultimately part of the organization. So you should see what is shared with it because you are actually part of this organization, it is not an inheritance.

The subject concerning "inheritance" is the one I raise in the last part of my issue, in the "Additional idea" part. It is an open question for Product, not related to the bug. But it would be good to look into it @Jipegien, @romain-filigran (outside of this issue @marieflorescontact, don't bother you with it).

@marieflorescontact marieflorescontact linked a pull request Jan 10, 2025 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marieflorescontact marieflorescontact

Labels
bug use for describing something not working as expected
Projects
None yet
Milestone
Bugs backlog
Development

Successfully merging a pull request may close this issue.

[backend] handle inferred organizations in organization sharing OpenCTI-Platform/opencti
3 participants
@Kedae @Lhorus6 @marieflorescontact