Skip to content

Group permission denies to view user #40965

New issue
New issue
Closed
#43067
Closed
Group permission denies to view user#40965
#43067
Assignees
vramik
Labels
area/admin/fine-grained-permissionskind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.4.1release/26.5.0team/core-iam
@sirkrypt0

Description

@sirkrypt0
sirkrypt0
opened on Jul 7, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/fine-grained-permissions

Describe the bug

I'm trying to implement the following permission scheme:

  • We have two groups /Root/group1 and /Root/group2
  • We have two admin groups /Admins/group1 and /Admins/group2
  • Each admin group should be able to manage the membership for their corresponding group, so e.g. /Admin/group1 should be able to manage the membership for /Root/group1

I created three group policies:

  • Admins: applies to /Admins and extends to children
  • group1 / group2 apply to their respective /Admins/groupX group

Then I created four permissions:

  • View users and manage group membership: This should allow all members in the admins group to view and manage the group membership for all users.
    • User policy
    • Scopes: manage-group-membership, view
    • Enforces access to: All users
    • Policy: Admins
  • View groups and members: This should allow all members in the admins group to view all groups and their members
    • Group policy
    • Scopes: view, view-members
    • Enforce access to: All Groups
    • Policies: Admins
  • One permission for each of group1 and group2 which should allow members of their admin group to manage the membership for the specific group:
    • Group Policy
    • Scopes: manage-membership
    • Enforce access to: /Root/group1
    • Policies: group1

Finally, I have three users:

  • usera: member of /Admins/group1
  • userb: member of /Root/group2
  • userc: member of no group

If we now evaluate the permissions of usera we get:

  • They can view and view-members on /Root/group1 and /Root/group2
  • They can manage-membership on /Root/group1
  • They can view and manage-group-membership of userc

However, usera cannot do anything on userb, not even view them. The permission evaluation says that the manage membership of group2 permission voted DENY, which I find odd.
Apparently, the fact that userb is part of the /Root/group2 group disallows usera to view them.

Version

26.3.0

Regression

  • The issue is a regression

Expected behavior

I would expect that the group permission for /Root/group2 operates on the group object, and as expected usera cannot manage the membership for group2. I wouldn't expect that this would have an effect on whether or not usera can e.g. view userb.

Actual behavior

The group permission influences whether usera can view userb because userb is part of the group allowed by the permission.

How to Reproduce?

  1. Use the realm export realm-export-permissions-demo.json to import the realm.

  2. Create three users usera, userb, userc.

  3. Assign usera to group /Admins/group1.

  4. Assign userb to group /Root/group2.

  5. In the permissions evaluation tab, evaluate usera on Users resource type for user userb and see that all scopes are denied.

    Image

  6. Evaluate the same but this time for users userc instead of userb and see that view and manage-group-membership are allowed.

    Image

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/admin/fine-grained-permissionskind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.4.1release/26.5.0team/core-iam

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions