cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

‘View Logs’ role seems to be bypassing conditional access for Grail storage. Is this true?

GosiaMurawska
Community Team
Community Team

Will users or the group be able to read logs from all buckets?

1 REPLY 1

Jon2
Dynatrace Helper
Dynatrace Helper

View Logsis a permission of type ‘role, and as such, it does not adhere to attribute-based conditions. Consider, for example, that one of your user groups has been assigned: 

  •  ‘View Logs’ role 

//Grail read data 

ALLOW storage:buckets:read WHERE storage:table-name = "logs"; 

ALLOW storage:logs:read; 

 

and a policy boundary applied with the following condition: 

 

storage:bucket-name = 'default_logs'; 

 

The ‘View Logs’ role assignment will bypass the attribute conditions set in the policy and boundary, when those two are applied to the group. This means users of the group will be able to read logs from all buckets. 

 

To fix this, you can remove the role assignment and instead express it in an existing or new policy assigned to the same group, like this: 

 

//Classic 

ALLOW environment:roles:logviewer; 

Do not forget to apply the policy boundary to the new policy you modified. 

Featured Posts