Skip to content

Removed the OPA policy's default create.

Derek Hudson requested to merge aws-remove-create into master

This functionally reverts this MR.

The reason for this is that according to some use cases, unauthorized users who only have access to create records should be able to create records, even when they do not have the permissions to edit, delete, purge, or view those records.

I discovered this after some discussion with SLB members (@mzhu9 and @zmai).

The ideal way forward is to have a dedicated create validation that only validates that the service principal is a member of all of the groups referred to by the user, preferably with some validation in cases where a new group is created.

Sorry for this inconvenience.

Merge request reports

Loading