DOS2380

Security Roles - Restrict inherited common group access permissions on variable group and secure file

DOS2380

AzureDevOps project Severityhigh builtIn

Description

Do not allow variable groups and secure files to inherit elavated permissions from project level user permissions. The groups (Contributors, Readers, Project Collection Valid Users, Project Valid Users) should not have elavated permissions (Admin/User). User permissions for certain groups must be restricted to read-only access. https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions-lookup-guide https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources?#user-permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions#set-library-permissions

En savoir plus

Recommandation

1. Navigate to Project -> Pipelines -> Library 
2. On 'Library' page, click on Security button. 
3. Review security roles and ensure common groups have only read-only access.

Règle de politique

{
  "target": "ADOSecurityRoleAssignment",
  "if": {
    "allOf": [
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "ScopeResource.ResourceType",
        "operator": "equals",
        "value": "Project"
      },
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "ScopeResource.ScopeId",
        "operator": "equals",
        "value": "distributedtask.library"
      },
      {
        "resource": "ADOSecurityRoleAssignment",
        "property": "Identity.DisplayName",
        "operator": "contains",
        "value": "$(POLICY_VAR_PROJECT_SECURITY_ROLES_COMMON_GROUPS)"
      },
      {
        "anyOf": [
          {
            "resource": "ADOSecurityRoleAssignment",
            "property": "Role.Name",
            "operator": "equals",
            "value": "Reader"
          },
          {
            "resource": "ADOSecurityRoleAssignment",
            "property": "Role.Name",
            "operator": "equals",
            "value": "Creator"
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS2370 DOS2390 »
Détails de la règle
  • ID de la règle: DOS2380
  • Code: ADO_Project_SecurityRoles_Library_Restrict_Inherited_Common_Group_Access
  • Plateforme: AzureDevOps
  • Catégorie: project
  • Sévérité: Severityhigh
  • Type: builtIn
Règles connexes

Copyright © DevOps Shield. Tous droits réservés. Politique de confidentialité | Politique de témoins | Conditions d'utilisation