Comments (8)
Grants should have owner(s) unless it is undeterminable (like in ImportGrants). If a user doesn't want to receive notifications about certain grants, they should hand them over to someone else.
Yes. Agreed. I meant in a manner of -
Could we have similar restrictions in the way we add/remove approvers for a given step. We check to ensure at least one approver is present in case of removal. We should be able to do that here also.
from guardian.
Agreed on the second approach with restrictions on what can be updated. 👍
from guardian.
@ravisuhag @haveiss @mabdh @bsushmith requesting for your comments 🙏
from guardian.
This feature will also help us in assigning a new owner in case the previous owner is not part of the organization.
For example, we see for serviceAccounts, the previous owners are no longer in the org, and then nobody gets any reminders when a particular serviceAccount grant eventually expires.
Would it be possible to remove owners also? In case somebody wants to re-assign their ownership and does not want to be notified about it?
In the proposed options - I feel option2 might lead to abuse as people might use this to update other fields even if they are not intended to be.
from guardian.
Would it be possible to remove owners also? In case somebody wants to re-assign their ownership and does not want to be notified about it?
Grants should have owner(s) unless it is undeterminable (like in ImportGrants). If a user doesn't want to receive notifications about certain grants, they should hand them over to someone else.
In the proposed options - I feel option2 might lead to abuse as people might use this to update other fields even if they are not intended to be.
this API should only work on allowed fields. For now, I think it'll be only owner
, later after we introduced co-owners
we can also add them.
from guardian.
Yeah, I feel the 2nd solution is simpler. But do we need to restrict the caller of the API? So not all people could update the owner field.
For the next co-owners: []string
, I am not sure if it is that scalable to do so, but I think that could be discussed later.
from guardian.
But do we need to restrict the caller of the API?
@mabdh the API restriction will be done from the auth proxy (shield) only, as right now that's how we configure superadmin privileged APIs as well
from guardian.
@bsushmith @mabdh can we sign off on the preferred approach? if so I'll work on this soon
from guardian.
Related Issues (20)
- Able to change the policy for pending appeals HOT 1
- refactor appeal functions HOT 3
- Add resources conditionally
- Only allowed a few roles on Bigquery Dataset HOT 2
- Register Dataplex policy-tags as provider HOT 5
- Getting 3 times slack notification for same resource reminder HOT 2
- Shield as a provider in Guardian
- ability to trigger jobs through API end point HOT 1
- support `account_id` in grant expiry reminder notification
- Use `go install` in make setup instead of `go get`
- bigquery get activities test case is flaky
- bigquery client throwing error `CREDENTIALS_MISSING` HOT 3
- Add authentication to guardian using google idtoken (from google SSO login) HOT 18
- Disable dockertest on repository test during unit test HOT 2
- Guardian Approval through Slack HOT 11
- bug(gcs): fetch resources not working for some gcs providers
- Multiple owners in Grants
- Fetch labels for bigquery dataset/table HOT 2
- Frontier provider get groups api needs to be refactored to get admin/owners list
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from guardian.