Bug ID 1135785: Web Application Manager, Editor and Security Manager roles do not have permissions to accept the modification of policy building mode for a policy

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IQ Web App Security (ASM)(all modules)

Known Affected Versions:
8.1.0, 8.1.0.1, 8.1.0.2

Opened: Aug 11, 2022
Severity: 4-Minor

Symptoms

Some users receive a 403 Not Authorized error when attempting to manually change the policy building mode.

Impact

Users who receive the 403 Not Authorized error cannot manually change the policy building mode.

Conditions

This error occurs for users with the role of Device Manager, Device Viewer, Network Security Deployer, Network Security Editor, Network Security Manager, Network Security Viewer, Security Manager, Trust Discovery Import, Web App Security Deployer, Web App Security Editor, Web App Security Manager, and Web App Security Viewer.

Workaround

To provide the necessary user permissions: 1. Create a Resource Group using an API call. On the BIG-IQ CLI run the command: #restcurl -X POST /shared/authorization/patch-resource-groups -d '{"resourceGroupName":"Devices CPB Resource Group","resourceGroupDisplayName":"Devices CPB Resource Group" ,"resourceGroupDescription":"Resource group containing Devices CPB API for use with modifyPolicy","referenceExpressionsPatches":[{"targetKind":"cm:asm:tasks:update-devices-cpb:updatedevicescentralizedconfigurationtaskstate" ,"referenceExpressions":[{"expression":"/cm/asm/tasks/update-devices-cpb/*"}]}]}' 2. Use an API call to create a custom role type that includes the missing permissions. On the BIG-IQ CLI run the command: #restcurl -X POST /shared/authorization/role-types -d '{"name":"AddRoleTypeToUpdateCPBPermission","displayName":"AddRoleTypeToUpdateCPBPermission","isBuiltIn":false,"isPublic":true,"permissions":[{"itemKind":"cm:asm:tasks:update-devices-cpb:updatedevicescentralizedconfigurationtaskstate","actions":["read","edit","create","delete"]}]}' 3. Use the BIG-IQ GUI to create a custom role using the just-created role type and resource group. a. Provide a unique name in the Name field. b. Select the RoleType that you created in Step 2 (RoleType is 'AddRoleTypeToUpdateCPBPermission') and select the Resource Groups that you created in Step 1 (Resource Groups is 'Devices CPB Resource Group'). c. Click Save & Close. 4. Use the GUI to assign the custom role to the problematic user. a. Edit the problematic User. b. Assign the role that you created in Step 3. c. Click Save & Close.

Fix Information

None

Behavior Change