Skip to content

feat: enhance identity permissions and update UI for access control l…#5739

Merged
victorvhs017 merged 3 commits intomainfrom
fix/add-identity-id-condition-back
Mar 17, 2026
Merged

feat: enhance identity permissions and update UI for access control l…#5739
victorvhs017 merged 3 commits intomainfrom
fix/add-identity-id-condition-back

Conversation

@victorvhs017
Copy link
Copy Markdown
Contributor

@victorvhs017 victorvhs017 commented Mar 17, 2026

Context

This PR restores and extends the identityId condition for Identity permissions so roles can scope access to specific machine identities.

Before: Only GrantPrivileges, AssignRole, and AssignAdditionalPrivileges supported the identityId condition. Other Identity actions (Read, Create, Edit, Delete, AssumePrivileges, RevokeAuth, CreateToken, GetToken, DeleteToken) did not support conditions.

After: All Identity actions support the identityId condition. Admins can define roles that limit operations (e.g. read, edit, revoke auth) to specific machine identities.

Additional changes:

  • Identity details UI: "Go to organization access control" link is only shown when the user has org identity read permission; the "To make changes" text is moved inside the permission check.

Steps to verify the change

  1. Identity conditions
    • Create or edit a project role.
    • Add Identity permissions (e.g. Read, Edit, Revoke Auth).
    • Confirm the identityId condition is available and can be configured.
    • Save the role and verify the API accepts the conditions.
  2. Identity details page
    • Open an identity whose auth is managed at the org level.
    • With org identity read permission: verify the "go to organization access control" link appears.
    • Without org identity read permission: verify the link is hidden.

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

@maidul98
Copy link
Copy Markdown
Collaborator

maidul98 commented Mar 17, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 17, 2026
edited
Loading

Greptile Summary

This PR extends identityId condition support to all Identity permission actions (previously only GrantPrivileges, AssignRole, and AssignAdditionalPrivileges had this), and fixes the UI to correctly gate the "go to organization access control" link behind org identity read permission. The backend, frontend condition map, and docs are all updated consistently.

Key findings:

  • AssumePrivileges enforcement bug: assume-privilege-service.ts calls throwUnlessCan(AssumePrivileges, ProjectPermissionSub.Identity) without wrapping the subject with identityId. CASL evaluates a condition like { identityId: { $eq: "..." } } against a plain string (which has no identityId property), so the condition always fails — any role scoped to a specific identity for AssumePrivileges will be permanently denied.
  • Create + identityId condition is semantically inconsistent: For brand-new project-scoped identity creation (project-identity-factory.ts), no identityId exists at permission-check time, making the condition unsatisfiable. For membership creation (project-membership-identity-factory.ts), the identityId is available but not passed to the check. Only the auth-attachment code paths (e.g., identity-ua-service.ts) correctly pass identityId for Create checks. This creates a confusing and partially broken experience for admins configuring scoped Create permissions.
  • The UI changes (gating "To make changes" text + link) are correct and well-implemented.
  • The docs additions are accurate and complete.

Confidence Score: 2/5

  • Not safe to merge as-is — the AssumePrivileges condition will always be denied due to a missing identityId in the enforcement subject, and the Create + identityId condition is inconsistently enforced across code paths.
  • Two P1 logic issues: (1) AssumePrivileges enforcement doesn't pass identityId to the CASL subject, rendering the new condition permanently non-functional; (2) Create action with identityId condition works on some code paths but silently blocks others (brand-new identity creation, membership creation). The UI and docs changes are clean, but the core permission enforcement logic needs fixes before this is safe to ship.
  • backend/src/ee/services/assume-privilege/assume-privilege-service.ts (missing identityId in subject for AssumePrivileges check) and backend/src/ee/services/permission/project-permission.ts + frontend/src/pages/project/RoleDetailsBySlugPage/components/ProjectRoleModifySection.utils.tsx (re: Create + identityId condition semantics).

Important Files Changed

Filename Overview
backend/src/ee/services/permission/project-permission.ts Adds identityId as an allowed condition for Read, Create, Edit, Delete, AssumePrivileges, RevokeAuth, CreateToken, GetToken, and DeleteToken Identity actions. The Create condition is semantically inconsistent across different enforcement code paths.
frontend/src/pages/project/RoleDetailsBySlugPage/components/ProjectRoleModifySection.utils.tsx Mirrors the backend change by updating ACTION_ALLOWED_CONDITIONS to expose identityId as a configurable condition for all Identity actions in the role-editing UI. Inherits the same semantic concern around the Create action.
frontend/src/pages/organization/IdentityDetailsByIDPage/IdentityDetailsByIDPage.tsx Correctly moves the "To make changes" text and the org access control link inside the OrgPermissionCan gate, so both are hidden when the user lacks org identity read permission. Straightforward UI improvement with no issues.
frontend/src/pages/project/IdentityDetailsByIDPage/IdentityDetailsByIDPage.tsx Same permission-gating fix as the org page: "To make changes" text and the link are now hidden when the user lacks org identity read permission. No issues.
docs/internals/permissions/project-permissions.mdx Adds documentation rows for the five newly supported Identity actions (assume-privileges, revoke-auth, create-token, get-token, delete-token) with their identityId condition key. Content is accurate and well-structured.

Comments Outside Diff (1)

  1. backend/src/ee/services/assume-privilege/assume-privilege-service.ts, line 51-54 (link)

    P1 AssumePrivileges condition is never evaluated — identityId not passed to subject

    This PR advertises identityId as a supported condition for AssumePrivileges, but the enforcement check here passes only the plain string ProjectPermissionSub.Identity, not a CASL subject(...) with identityId data.

    When CASL evaluates a permission that has a condition like { identityId: { $eq: "abc" } } against a plain string (which has no identityId property), the condition always resolves to undefined, making it never match. This means any role configured with an identityId-scoped AssumePrivileges will always be denied, regardless of the target identity.

    The targetActorId variable is already available here (it is the identity being assumed). The fix is to wrap the subject with the correct identity:

    Note that subject is already imported from @casl/ability in this file (used on the User path indirectly), so you may need to add the import if it isn't there yet.

Last reviewed commit: 3c59151

greptile-apps[bot]
greptile-apps bot reviewed Mar 17, 2026
View reviewed changes
@linear
Copy link
Copy Markdown

linear bot commented Mar 17, 2026

ENG-4721 Add conditions to machine identity policy actions

@victorvhs017 victorvhs017 requested a review from IgorHorta March 17, 2026 17:39
@victorvhs017 victorvhs017 merged commit d90ad61 into main Mar 17, 2026
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IgorHorta IgorHorta IgorHorta approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@victorvhs017 @maidul98 @IgorHorta