Question - Compliance Analysis Finding permission issue

Hi eramba community!

We are planning to add a role for a person that will VIEW one of the Compliance Analysis for a specific package and be able to manage Findings to it.

We did:

  1. Created the group

  2. Adjusted the role permissions with only these permissions enabled:
    |ComplianceAnalysisFindings/Add||
    |ComplianceAnalysisFindings/Delete||
    |ComplianceAnalysisFindings/DownloadAttachment||
    |ComplianceAnalysisFindings/Edit||
    |ComplianceAnalysisFindings/History||
    |ComplianceAnalysisFindings/Index|
    |ComplianceAnalysisFindings/Restore||
    |ComplianceAnalysisFindings/Trash|
    ComplianceManagements/Index

  3. We made the group as one of the Owners of all items of the specific package (at Compliance Analysis screen)

  4. Added the user to the group.

It almost worked 100% correct. The only issue we are having is that the user is being able to add Findings to all packages, and the expected was to see only the package he is one of the owners.
a) See the list of all packages we have (when adding a finding, in the “Affected Compliance Items” tab → Compliance Package field
b) Be able to add Findings to packages the user isn’t an owner, that he isn’t supposed to have access to
c) As a consequence of item “b”, our team might find incorrect findings inside their package analysis.

Sorry for my english and I hope I was able to describe the issue understandably.

Thanks in advance!

PS: we are using “App Version: c2.8.1 | DB Schema Version: c2.8.1”

i understand what you want but is not the way eramba works, “add” means you “add” no matter where that item is applied. the idea that visualisations (which is. what prevents the user from seeing other packages) should be applied to “fields” within a form is not something we have now.

its pretty complicated piece of code to build and we are not nearly there to be honest. next year we want to start working on field level actions (user defined workflow, triggers, etc) so maybe this is something to consider when we get there.

int ref: https://github.com/eramba/eramba/issues/3963

Thanks @kisero ! Just to let you know the case use we were testing, it’s related to the idea of add an user to an external auditor that would have access to an analysis and he would add the findings found during auditing / gap analysis.

We then have 3 options:

  1. Limit his accesses to the analysis only, and ask him to attach the finding using a comment on the item, so he wouldn’t need to have access to add findings
  2. Keep the risk of him add findings to the wrong package
  3. Forget about this scenario for now :joy:

Thanks again!

When I’m on the auditor side of the table, I don’t want access to client systems. When I’m on the consultant side of the table, I don’t want auditors in my systems. I would want to vet any findings they have before adding them to my Eramba instance…