stackrox · rhybrillou · Nov 8, 2022 · Oct 14, 2022 · Oct 18, 2022 · Nov 7, 2022
@@ -0,0 +1,4 @@
+The permissions `AllComments`, `ComplianceRuns`, `ComplianceRunSchedule`, `Config`, `DebugLogs`, 
+`NetworkGraphConfig`, `ProbeUpload`, `ScannerBundle`, `ScannerDefinitions`, `SensorUpgradeConfig` 
+and `ServiceIdentity` should be removed from the files `myPermissionsMinimalAccess.json` and 
+`myPermissionsNoAccess.json`.
@@ -19,6 +19,7 @@
         "NetworkPolicy": "READ_ACCESS",
         "Node": "NO_ACCESS",
         "Policy": "READ_ACCESS",
+        "Role": "NO_ACCESS",
         "Secret": "READ_ACCESS",
         "ServiceAccount": "NO_ACCESS",
         "VulnerabilityManagementApprovals": "NO_ACCESS",

@@ -19,6 +19,7 @@
         "NetworkPolicy": "NO_ACCESS",
         "Node": "NO_ACCESS",
         "Policy": "NO_ACCESS",
+        "Role": "NO_ACCESS",
         "Secret": "NO_ACCESS",
         "ServiceAccount": "NO_ACCESS",
         "VulnerabilityManagementApprovals": "NO_ACCESS",

@@ -135,6 +135,7 @@ describe('Access Control Permission sets', () => {
         });
     });
 
+    // TODO: ROX-12750 Rename DebugLogs to Administration
     it('direct link to default Analyst has all (but DebugLogs) read and no write access', () => {
         visitPermissionSet('io.stackrox.authz.permissionset.analyst');
 
@@ -155,6 +156,7 @@ describe('Access Control Permission sets', () => {
 
             $tds.get().forEach((td) => {
                 const resource = td.textContent;
+                // TODO: ROX-12750 Rename DebugLogs to Administration
                 if (resource === 'DebugLogs') {
                     cy.get(getReadAccessIconForResource(resource)).should(
                         'have.attr',
@@ -301,6 +303,7 @@ describe('Access Control Permission sets', () => {
             getAccessLevelSelectForResource,
         } = selectors.form.permissionSet;
 
+        // TODO: ROX-12750 Rename ServiceIdentity to Administration
         const resourcesLimited = ['Cluster', 'ServiceIdentity'];
 
         cy.get(selectors.form.permissionSet.tdResource).then(($tds) => {
@@ -346,16 +349,19 @@ describe('Access Control Permission sets', () => {
             'Read and Write Access'
         );
 
+        // TODO: ROX-12750 Rename ServiceIdentity to Administration
         cy.get(getReadAccessIconForResource('ServiceIdentity')).should(
             'have.attr',
             'aria-label',
             'permitted'
         );
+        // TODO: ROX-12750 Rename ServiceIdentity to Administration
         cy.get(getWriteAccessIconForResource('ServiceIdentity')).should(
             'have.attr',
             'aria-label',
             'permitted'
         );
+        // TODO: ROX-12750 Rename ServiceIdentity to Administration
         cy.get(getAccessLevelSelectForResource('ServiceIdentity')).should(
             'contain',
             'Read and Write Access'

@@ -9,17 +9,10 @@ const resourceDescriptions: Record<ResourceName, string> = {
     Administration:
         'Read: View platform configuration (e.g., network graph, sensor, debugging configs). Write: Modify platform configuration, delete comments from other users.',
     Alert: 'Read: View policy violations. Write: Resolve or edit policy violations.',
-    AllComments:
-        'Read: N/A Write: Delete comments from other users. All users can edit and delete their own comments by default. To add and remove comments or tags, you need a role with write access for the resource you are modifying.',
     CVE: 'Internal use only',
     Cluster: 'Read: View secured clusters. Write: Add, modify, or delete secured clusters.',
     Compliance:
         'Read: View compliance standards, results, and runs. Write: Add, modify, or delete scheduled compliance runs.',
-    ComplianceRuns:
-        'Read: View recent compliance runs and their completion status. Write: Trigger compliance runs.',
-    Config: 'Read: View options for data retention, security notices, and other related configurations. Write: Modify options for data retention, security notices, and other related configurations.',
-    DebugLogs:
-        "Read: View the current logging verbosity level of all components, including Central, Scanner, Sensor, Collector, and Admission controller. Download the diagnostic bundle. Important: The diagnostic bundle contains sensitive information, not dependent on the user's role and access scope. The diagnostic bundle includes information about all clusters and namespaces, access control, notifier integrations, and system configuration. Do not give this permission to users with limited access scope. Write: Modify the logging verbosity level.",
     Deployment: 'Read: View deployments (workloads) in secured clusters. Write: N/A',
     DeploymentExtension:
         'Read: View network and process baseline extensions, risk score of deployments. Write: Modify the process and network baseline extensions of deployments.',
@@ -36,23 +29,13 @@ const resourceDescriptions: Record<ResourceName, string> = {
     Namespace: 'Read: View Kubernetes namespaces in secured clusters. Write: N/A',
     NetworkGraph:
         'Read: View active and allowed network connections in secured clusters. Write: N/A',
-    NetworkGraphConfig:
-        'Read: View network graph configuration. Write: Modify network graph configuration.',
     NetworkPolicy:
         'Read: View network policies in secured clusters and simulate changes. Write: Apply network policy changes in secured clusters.',
     Node: 'Read: View Kubernetes nodes in secured clusters. Write: N/A',
     Policy: 'Read: View system policies. Write: Add, modify, or delete system policies.',
-    ProbeUpload:
-        'Read: Read manifests for the uploaded probe files. Write: Upload support packages to Central.',
-    ScannerBundle: 'Read: Download the scanner bundle. Write: N/A',
-    ScannerDefinitions:
-        'Read: List image scanner integrations. Write: Add, modify, or delete image scanner integrations.',
+    Role: 'Read: View roles, permision sets and access scopes. Write: Add, modify or delete roles, permission sets and access scopes.',
     Secret: 'Read: View metadata about secrets in secured clusters. Write: N/A',
-    SensorUpgradeConfig:
-        'Read: Check the status of automatic upgrades. Write: Disable or enable automatic upgrades for secured clusters.',
     ServiceAccount: 'Read: List Kubernetes service accounts in secured clusters. Write: N/A',
-    ServiceIdentity:
-        'Read: View metadata about service-to-service authentication. Write: Revoke or reissue service-to-service authentication credentials.',
     VulnerabilityManagementApprovals:
         'Read: View all pending deferral or false positive requests for vulnerabilities. Write: Approve or deny any pending deferral or false positive requests and move any previously approved requests back to observed.',
     VulnerabilityManagementRequests:
@@ -63,6 +46,26 @@ const resourceDescriptions: Record<ResourceName, string> = {
         'Read: View undeployed watched images monitored. Write: Configure watched images.',
     WorkflowAdministration:
         'Read: View all resource collections. Write: Add, modify, or delete resource collections.',
+    // TODO: ROX-12750 Remove AllComments, ComplianceRunSchedule, ComplianceRuns, Config, DebugLogs, NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig and ServiceIdentity.
+    AllComments:
+        'Read: N/A Write: Delete comments from other users. All users can edit and delete their own comments by default. To add and remove comments or tags, you need a role with write access for the resource you are modifying.',
+    ComplianceRuns:
+        'Read: View recent compliance runs and their completion status. Write: Trigger compliance runs.',
+    Config: 'Read: View options for data retention, security notices, and other related configurations. Write: Modify options for data retention, security notices, and other related configurations.',
+    DebugLogs:
+        "Read: View the current logging verbosity level of all components, including Central, Scanner, Sensor, Collector, and Admission controller. Download the diagnostic bundle. Important: The diagnostic bundle contains sensitive information, not dependent on the user's role and access scope. The diagnostic bundle includes information about all clusters and namespaces, access control, notifier integrations, and system configuration. Do not give this permission to users with limited access scope. Write: Modify the logging verbosity level.",
+    NetworkGraphConfig:
+        'Read: View network graph configuration. Write: Modify network graph configuration.',
+    ProbeUpload:
+        'Read: Read manifests for the uploaded probe files. Write: Upload support packages to Central.',
+    ScannerBundle: 'Read: Download the scanner bundle. Write: N/A',
+    ScannerDefinitions:
+        'Read: List image scanner integrations. Write: Add, modify, or delete image scanner integrations.',
+    SensorUpgradeConfig:
+        'Read: Check the status of automatic upgrades. Write: Disable or enable automatic upgrades for secured clusters.',
+    ServiceIdentity:
+        'Read: View metadata about service-to-service authentication. Write: Revoke or reissue service-to-service authentication credentials.',
+    // End of ROX-12750 removal block
 };
 
 export type ResourceDescriptionProps = {

@@ -81,6 +81,7 @@ function MainPage(): ReactElement {
         return <LoadingSection message="Loading..." />;
     }
 
+    // TODO: ROX-12750 Replace ServiceIdentity with Administration
     const hasServiceIdentityWritePermission = hasReadWriteAccess('ServiceIdentity');
 
     return (

@@ -27,6 +27,7 @@ const SystemConfigPage = (): ReactElement => {
     const { hasReadAccess, hasReadWriteAccess } = usePermissions();
     */
     const { hasReadWriteAccess } = usePermissions();
+    // TODO: ROX-12750 Replace Config with Administration
     const hasReadWriteAccessForConfig = hasReadWriteAccess('Config');
     const { isFeatureFlagEnabled } = useFeatureFlags();
     const isDecommissionedClusterRetentionEnabled = isFeatureFlagEnabled(

@@ -104,7 +104,7 @@ function VulnMgmtReportForm({
     const [message, setMessage] = useState<FormResponseMessage>(null);
 
     const { hasReadWriteAccess, hasReadAccess } = usePermissions();
-    const hasRoleWriteAccess = hasReadWriteAccess('Access');
+    const hasRoleWriteAccess = hasReadWriteAccess('Role');
     const hasClusterReadAccess = hasReadAccess('Cluster');
     const hasNamespaceReadAccess = hasReadAccess('Namespace');
     const hasNotifierWriteAccess = hasReadWriteAccess('Integration');

@@ -45,12 +45,12 @@ function ReportTablePage({ query }: ReportTablePageProps): ReactElement {
     const { hasReadWriteAccess, hasReadAccess } = usePermissions();
     const hasVulnReportWriteAccess = hasReadWriteAccess('VulnerabilityReports');
     const hasImageReadAccess = hasReadAccess('Image');
-    const hasAccessScopeReadAccess = hasReadAccess('Access');
+    const hasRoleScopeReadAccess = hasReadAccess('Role');
     const hasNotifierIntegrationReadAccess = hasReadAccess('Integration');
     const canWriteReports =
         hasVulnReportWriteAccess &&
         hasImageReadAccess &&
-        hasAccessScopeReadAccess &&
+        hasRoleScopeReadAccess &&
         hasNotifierIntegrationReadAccess;
 
     const searchOptions = useSearchOptions(searchCategories.REPORT_CONFIGURATIONS) || [];

@@ -60,6 +60,7 @@ export const oidcCallbackValues = {
 export const defaultMinimalReadAccessResources = [
     'Alert',
     'Cluster',
+    // TODO: ROX-12750 Replace Config with Administration
     'Config',
     'Deployment',
     'Image',

@@ -26,6 +26,8 @@ const stateSelector = createStructuredSelector<{
 
 // TODO(ROX-11453): Remove this mapping once the old resources are fully deprecated.
 const replacedResourceMapping = new Map<ResourceName, string>([
+    // TODO: ROX-12750 Remove AllComments, ComplianceRunSchedule, ComplianceRuns, Config, DebugLogs,
+    // NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig and ServiceIdentity.
     ['AllComments', 'Administration'],
     ['ComplianceRuns', 'Compliance'],
     ['Config', 'Administration'],

@@ -106,6 +106,8 @@ const getIsLoadingUserRolePermissions = (state) => state.isLoading;
 
 // TODO(ROX-11453): Remove this mapping once the old resources are fully deprecated.
 const replacedResourceMapping = new Map([
+    // TODO: ROX-12750 Remove AllComments, ComplianceRunSchedule, ComplianceRuns, Config, DebugLogs,
+    // NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig and ServiceIdentity.
     ['AllComments', 'Administration'],
     ['ComplianceRuns', 'Compliance'],
     ['Config', 'Administration'],

@@ -31,6 +31,7 @@ describe('userRolePermissions selector', () => {
             name: '',
             userRolePermissions: {
                 Deployment: 'READ_ACCESS',
+                // TODO: ROX-12750 Replace ServiceIdentity with Administration
                 ServiceIdentity: 'NO_ACCESS',
             },
         };

@@ -28,6 +28,7 @@ export type ResourceName =
     | 'NetworkPolicy'
     | 'Node'
     | 'Policy'
+    | 'Role'
     | 'Secret'
     | 'ServiceAccount'
     | 'VulnerabilityManagementApprovals'
@@ -36,6 +37,8 @@ export type ResourceName =
     | 'WatchedImage'
     | 'WorkflowAdministration'
     // To-be-deprecated resources.
+    // TODO: ROX-12750 Remove AllComments, ComplianceRunSchedule, ComplianceRuns, Config, DebugLogs,
+    // NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig and ServiceIdentity.
     | 'AllComments'
     | 'ComplianceRuns'
     | 'Config'