KBEC-00210 - Ensuring restricted agent access by using a factory procedure to control resource creation

Article ID:360032829752
1 minute readKnowledge base
On this page

Problem

Given a user with permission to create or modify resources, there is no means to control which agents such resources are configured to use.

For example, TeamA and TeamB each have their own set of resources. The ACLs on the resources prevent TeamA from using TeamB’s resources and vice-versa. However a member of TeamA with permission to create resources can create resources pointing to agents on TeamB’s machines.

Solution

Use a factory procedure to control resource creation:

  1. Create a procedure in a project that has permission to create/modify resources.

  2. Remove create/modify resource permission for relevant users.

  3. Grant execute permission on the procedure to those same users.

The factory procedure can be used to do any necessary validation, including implementing a permission scheme to control what agents a user may point resources to.

Property sheets (which have ACLs) will be used to simulate ACLs on agents. Assume the following structure: a property sheet (called agents) with nested sheets, each representing agents:

  • agents

    • agent1

    • agent2

    • agent3

The factory procedure will use the agent host name to do an access check on the nested sheet of the same name, for example, attempting to create a resource pointing to agent host called 'foo' will do an access check on the agents/foo property sheet.

It is an implementation detail whether a missing agent/foo sheet results in success or failure; either way makes sense depending on circumstances.

As described, the access check works as a 'allowlist' of agents; simply inverting the logic of the access check turns it into a denylist.