<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:21:43 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2582] Privilege escalation tenant admins with permissions.all to okapi.all</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2582</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;If a tenant user is granted permissions.all, that user can assign his or herself okapi.all. Operators  may want to give users a tenant admin, but prevent that tenant admin from gaining okapi.all.&lt;/p&gt;

&lt;p&gt;I believe stripes requires the okapi interface. If the okapi interface were not enabled on the tenant, there would be no okapi.all to grant.&lt;/p&gt;</description>
                <environment></environment>
        <key id="81723">FOLIO-2582</key>
            <summary>Privilege escalation tenant admins with permissions.all to okapi.all</summary>
                <type id="10005" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium">Story</type>
                                            <priority id="10000" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p1.svg">P1</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5f8314dfbdef80006f6f572d">Adam Dickmeiss</assignee>
                                                                <reporter accountid="5cd423bebc70090d6ce241b1">Ian Hardy</reporter>
                                    <labels>
                            <label>platform-backlog</label>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Mon, 4 May 2020 16:48:22 +0000</created>
                <updated>Mon, 28 Feb 2022 12:29:01 +0000</updated>
                            <resolved>Wed, 3 Nov 2021 14:56:43 +0000</resolved>
                                                                        <due></due>
                            <votes>1</votes>
                                    <watches>7</watches>
                                                                <comments>
                                                            <comment id="198620" author="5c10cd488ce9b546efc4d9c4" created="Mon, 3 Aug 2020 12:21:31 +0000"  >&lt;p&gt;Postponed until the decision about permissions level.&lt;/p&gt;</comment>
                                                            <comment id="198623" author="557058:4f6bed01-40a6-48d5-8471-7ef21f5ea97c" created="Mon, 3 Aug 2020 12:23:09 +0000"  >&lt;p&gt;Maybe we can separate Okapi interface to at least two: one less privileged to be used by Stripes, and the other one used by supertenant to manage tenants and modules?&lt;/p&gt;</comment>
                                                            <comment id="198626" author="5cf6c546b87c300f36eb7b9a" created="Fri, 16 Jul 2021 15:21:07 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f8314dfbdef80006f6f572d&quot; class=&quot;user-hover&quot; rel=&quot;5f8314dfbdef80006f6f572d&quot; data-account-id=&quot;5f8314dfbdef80006f6f572d&quot; accountid=&quot;5f8314dfbdef80006f6f572d&quot; rel=&quot;noreferrer&quot;&gt;Adam Dickmeiss&lt;/a&gt; The security team would like an update on the status of this...  It&apos;s marked as a P2, but hasn&apos;t moved in a long time.  Is this something that&apos;s going to be scheduled to be worked on anytime soon?  Are there blockers?  etc.&lt;/p&gt;</comment>
                                                            <comment id="198628" author="5cf6c546b87c300f36eb7b9a" created="Fri, 16 Jul 2021 15:21:07 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f8314dfbdef80006f6f572d&quot; class=&quot;user-hover&quot; rel=&quot;5f8314dfbdef80006f6f572d&quot; data-account-id=&quot;5f8314dfbdef80006f6f572d&quot; accountid=&quot;5f8314dfbdef80006f6f572d&quot; rel=&quot;noreferrer&quot;&gt;Adam Dickmeiss&lt;/a&gt; The security team would like an update on the status of this...  It&apos;s marked as a P2, but hasn&apos;t moved in a long time.  Is this something that&apos;s going to be scheduled to be worked on anytime soon?  Are there blockers?  etc.&lt;/p&gt;</comment>
                                                            <comment id="198630" author="5cf6c546b87c300f36eb7b9a" created="Thu, 14 Oct 2021 15:32:23 +0000"  >&lt;p&gt;Discussed with CP team and bumped to P1... This one is dangerous.&#160; There could be some overlap with discussions around system/tenant-level users...&#160;&lt;/p&gt;</comment>
                                                            <comment id="198633" author="5f8314dfbdef80006f6f572d" created="Thu, 14 Oct 2021 19:06:10 +0000"  >&lt;p&gt;Perhaps this could be achieved by a desired permission &quot;permissions.grant.extra&quot; or a separate end-point. This permission would only be handed out to the supertenant&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/star_yellow.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt;&lt;/p&gt;

&lt;p&gt;This permission would not be given to the Stripes super user. All users (that do not have permissions.grant.extra) would not be able to offer permissions to others that they don&apos;t own themselves. The stripes super user should also only get okapi.readonly (not okapi.all so that mod-authtoken can be disabled - for example or worse)&lt;/p&gt;

&lt;p&gt;mod-permissions would require a change where it rejects adding permissions to a user that is not already owned by the user performing the operation.&lt;/p&gt;

&lt;p&gt;*: supertenant is an unfortunate naming convention. In some cases it means the tenant that is used when nothing is specified (default tenant) and in other cases, the tenant user that has all permissions.&lt;/p&gt;</comment>
                                                            <comment id="198638" author="5f8314dfbdef80006f6f572d" created="Mon, 25 Oct 2021 15:04:56 +0000"  >&lt;p&gt;The above idea is manifested in 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;MODPERMS-157&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODPERMS-157&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Check assignment permissions for operating user&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            MODPERMS-157
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 .. Which is now in code review. Please look at it if you have questions or concerns.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="81435">FOLIO-2280</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="34333">MODPERMS-157</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i03km4:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1181">CP: sprint 126</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10044" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Story Points</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>5.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 3 Aug 2020 12:21:31 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>