27 Jan 2025 01:10 PM
Will users or the group be able to read logs from all buckets?
Solved! Go to Solution.
27 Jan 2025 01:11 PM - edited 27 Jan 2025 01:36 PM
“View Logs” is a permission of type ‘role’, and as such, it does not adhere to attribute-based conditions. Consider, for example, that one of your user groups has been assigned:
//Grail read data
ALLOW storage:buckets:read WHERE storage:table-name = "logs";
ALLOW storage:logs:read;
and a policy boundary applied with the following condition:
storage:bucket-name = 'default_logs';
The ‘View Logs’ role assignment will bypass the attribute conditions set in the policy and boundary, when those two are applied to the group. This means users of the group will be able to read logs from all buckets.
To fix this, you can remove the role assignment and instead express it in an existing or new policy assigned to the same group, like this:
//Classic
ALLOW environment:roles:logviewer;
Do not forget to apply the policy boundary to the new policy you modified.