I have a group of users, members of a group named “Tests” which I would like them to be able to create objects (tasks, targets, etc…) available for the whole group Tests. Eg; User1 create a task named Task1; which needs to be available at least read only to all member of group Tests. Simple question, after all.
Currently, if user Test1 try to add a new permission (allowing members of group Tests read access) to an object he just created; he get an error saying “Given subject_id was invalid”. And obviously, other members of his group don’t see it.
What is the proper way to manage permissions in this scenario ?
I’m using GSA indeed. The workflow you describe works if I do it using my admin account. But as long as a user, member of group Tests, do the same for his tasks, he will get the Given subject_id invalid error.
an admin user can create role permissions for a task. A user with the “user” role, however can’t, because the options in the ‘Create Permission’ dialog to select users, roles, or groups are missing and therefore an undefined subject_id is sent.
I admit that the UX in this case needs some work, but the behavior is correct. That is due to the reason that a normal “user” user doesn’t have access to other users, roles, or groups, and so the dialog options are not shown.
You should be able to overcome this problem by giving the user-role the get_groups permission, if that is something that fits your permission- and security-scheme.
Do you see the options in the dialog and are you able to select the “Tests” group? If the options are visible and the “Tests” group is by any chance the default group that is shown, please try to select another group first and change back to “Tests” before clicking “Save”. Maybe the group is listed and displayed correctly, but the id is not properly saved in the dialog state…
If the options are completely missing, there are problems with the get_roles, get_users, and get_groups permissions. At least, those are used in the dialog to show the drop downs only if granted.
Could you double check if the user in question has those permissions? Also try to grant them for a single user or for groups/roles. Maybe there is a bug, when assigning permissions to, say, users, but it would work for roles. This way we could at least rule that out.
Seems like it’s a bug; because granting those permissions to the group fix the problem. So giving the permissions to the user himself will do nothing, you need to also give it to the user group.
The permission model in Greenbone seems very experimental at this point.
At least it fix my issue now. Thanks for your help !