Bug ID 694788: Custom role in Relaxed Mode containing Address List resources provides very broad read access

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IQ Platform(all modules)

Known Affected Versions:
5.4.0, 5.4.0 HF1, 5.4.0 HF2

Opened: Nov 15, 2017
Severity: 2-Critical

Symptoms

A custom role in relaxed mode that contains Address List resources grants read permissions to both Network Security, Local Traffic and Network services.

Impact

Users will have read permissions for all objects in the Network Security, Shared Security, Local Traffic and Network services areas regardless of the role intent to use only the Network Security or Network version of the Address Lists. This may be an unexpected and undesired consequence of having Address Lists reside in both the Network Security and Network service areas.

Conditions

A user is assigned a role that is in relaxed mode and contains the Address List resource in it's associated resource group.

Workaround

A workaround is available that requires the Address List resources be contained in a strict role and that role associated with the user along with another relaxed role that does not explicitly contain the Address List resources.

Fix Information

None

Behavior Change