Permission without ability to modify policies and apply waivers

We are using a custom user with custom role with "IQ Elements"permission to manage organization, application, and perform application scans and nexus repos scanning.

The “IQ Elements” permission allows the user to alter policy configuration and create/apply waiver without additional authorization .

We need fine-grained permission to manage organization, application, perform scans and repos scanning and deny access to modify policies and apply waivers.

Hi Jitendra,

As of release 83 (release notes) there is now finer-grained permissions to apply Policy Waivers, Change Component License and Change Component Security Vulnerabilities.
After you have upgraded to release 83, all current roles that have the ‘Edit IQ Elements’ permission are automatically assigned these new additional permissions to keep backward compatibility. It will be up to the administrator of the Nexus IQ Server to alter permissions to suit.

See https://help.sonatype.com/nxiqmaster/managing/user-management/role-management for further details. If this does not accomplish your needs then please feel free to respond and we can discuss further.

Regards,

Mark

Hello Mark,

I installed nexus iq release 83 and disabled following access for my custom role. I logged in to nexus iq using user with custom role and I’m able to modify organizational
policies configuration.

I want to a setting to include or exclude access to organizational policies.

CanCannot : Waive
à Policy Violations

CanCannot: Change
à Licenses

CanCannot: Change
à Security Vulnerabilities

New change blocks policy, license or security violation change at component level, as expected.

Thanks,

Jitendra

Hello Mark,

Have you considered separating access to modify organizational
policies from “IQ Elements” permissions ?

Thx

@mdodgson After looking into this in more detail, my understanding of the requirement is to have a user that will be performing scans and onboarding applications, which sometimes, require a new organization. The CLI environment for the scan has this information.

After performing my own testing, I believe the explicit permission that is needed is to allow ‘add organization’ in addition to existing ‘add application’.

It may be beneficial to and/or separate ‘edit policy’ from ‘edit iq elements’ as when I was looking into this, I became confused between the difference between the system wide “Policy Administrator” and a root-level “edit iq elements”. It would be more clear if the policy permission was an explicit.

@mworthington is this the same requirement that Jitendra is asking for? They seem different to me.

I think @jitendra.rai is asking to disallow a user from making modifications to organisational policies. My understanding is that this is achievable already if the user are only provided access at a child organisation or application level.

Refreshing my use case from the top of this thread -

We are using a custom user with custom role with "IQ Elements"permission to manage(aka create child) organization, application, and perform application scans and nexus repos scan.

We need fine-grained permission to manage organization, application, perform scans and repos scanning and deny access to modify policies and apply waivers.

@mdodgson,
When this user doesn’t have access to root organization, it can’t create child organization.

thx

Hi Jitendra,

Thank you for the clarification.
I have added this request to our backlog whilst we gather further feedback on the recent permission enhancements. It is likely that we will iterate through another permission initiative some point soon, I will be sure to add this to the candidate list.
I will update this post with any progress.

Regards,

Mark

Is there any update on this?

Hi Jitendra,

There is currently no update on this .
The permissions changes/requests are still on the backlog to be reviewed.

Regards,

Mark