Removed the OPA policy's default create. (!493) · Merge requests · OSDU Software / OSDU Data Platform / Security and Compliance / Policy

Derek Hudson requested to merge aws-remove-create into master Jul 03, 2024

This functionally reverts this MR.

The reason for this is that according to some use cases, unauthorized users who only have access to create records should be able to create records, even when they do not have the permissions to edit, delete, purge, or view those records.

I discovered this after some discussion with SLB members (@mzhu9 and @zmai).

The ideal way forward is to have a dedicated create validation that only validates that the service principal is a member of all of the groups referred to by the user, preferably with some validation in cases where a new group is created.

Sorry for this inconvenience.

Removed the OPA policy's default create.

Merge request reports