Block CDot Admin access to members in unauthorized groups
Problem
CustomersDot Admin access for production and staging is configured via Okta integration.
ATM any user that is assigned to the CustomersDot Okta app via any group or direct membership can access the CustomersDot Admin.
This is not a big concern as the groups are managed by IT and users are not assigned directly to the App via the current workflows. However we want to enable the constrain on the CustomersDot side as well so the access to the CustomersDot Admin (readonly access included) is driven by the memberships this mapping:
DEVELOPMENT
Okta group | Admin access |
---|---|
customers-write-admin-access |
CDot Admins that can manage just customer-related sections |
licenses-write-admin-access |
CDot Admins that can manage just license-related sections |
memberships in any other group | CDot readonly Admins - no edit rights across the Admin |
STAGING / STAGING-REF
Okta group | Admin access |
---|---|
okta-cdot-stg-write-customers-admins |
CDot Admins that can manage just customer-related sections |
okta-cdot-stg-write-licenses-admins |
CDot Admins that can manage just license-related sections |
okta-cdot-stg-readonly-admins |
CDot readonly Admins - no edit rights across the Admin |
PRODUCTION
Okta group | Admin access |
---|---|
okta-cdot-prod-write-customers-admins |
CDot Admins that can manage just customer-related sections |
okta-cdot-prod-write-licenses-admins |
CDot Admins that can manage just license-related sections |
okta-cdot-prod-readonly-admins |
CDot readonly Admins - no edit rights across the Admin |
Proposal
- Update the
AuthenticateFromOmniauthService
so that the defaultcustomer_read_only
andlicense_read_only
is dependent to the admin membership to at least one of the pre-approved groups listed above.
NOW: If the AuthenticateFromOmniauthService
is called with groups
set to [some-group-not-one-of-the-listed-above]
we still get an Admin with: customer_access_level: customer_read_only, license_access_level: license_read_only
PROPOSED: If the AuthenticateFromOmniauthService
is called with groups
set to [some-group-not-one-of-the-listed-above]
we still get an Admin with: customer_access_level: nil, license_access_level: nil
Result
Only Admins associated to the CustomersDot Admin Okta app via one of the pre-approved groups can access (view / write) CustomersDot resources.
Implementation details
Files that will require a review + update:
AuthenticateFromOmniauthService
-
AdminAbility
to restrict access to maybe just the dashboard with a message and no other section info: