Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling auditing errors out of our control #199

Open
1 of 10 tasks
amstilp opened this issue Oct 13, 2022 · 2 comments
Open
1 of 10 tasks

Handling auditing errors out of our control #199

amstilp opened this issue Oct 13, 2022 · 2 comments
Labels
discussion Would benefit from group discussion

Comments

@amstilp
Copy link
Contributor

amstilp commented Oct 13, 2022
edited
Loading

In some cases, the AnVIL team adds their own people or groups to our resources (e.g., groups, workspace sharing, etc). How do we want to handle this?

  • Create an equivalent record in Django (e.g., sharing with the anvil-admins group)? Likely this would need to be done manually from the admin interface.
  • Implement a way to ignore certain records (e.g., if an AnVIL dev created a workspace, they may be marked an owner. This is ok and we don't want the record in the app). The audit could report the "ignored" resources but not consider them errors.

Task list:

  • Managed groups:

    • Add a model to track ignored audit errors for managed group membership
    • Update the ManagedGroupMembershipAudit method to ignore records in the above model
    • Add a list of ignored records to the managed group detail page (staff view only)
    • Add a button to the "Not in app" audit table that will add a record to the ignore model
    • Add a button on the detail page that will let us stop ignoring a record

  • Workspaces:

    • Add a model to track ignored audit errors for workspace sharing
    • Update the WorkspaceGroupSharingAudit method to ignore records in the above model
    • Add a list of ignored records to the Workspace detail page (staff view only)
    • Add a button to the "Not in app" audit table that will add a record to the ignore model
    • Add a button on the detail page that will let us stop ignoring a record
@amstilp
Copy link
Contributor Author

amstilp commented Mar 3, 2023
edited
Loading

After discussing with @smgogarten, for the second bullet (if we end up implementing this instead of just removing them):

  • Add a new model with two fields, workspace and EmailField. This model tracks which emails to ignore when auditing sharing records for a given workspace. This table should only be populated via the Admin interface, so no extra views are necessary.
  • Modify the Workspace.audit_sharing() method to ignore any emails in this table.
  • Modify AnVILAuditResults classes to handle ignored records - they should be tracked but reported as ignored.
  • Modify audit views to show ignored records but not mark them as errors.
  • Modify run_anvil_audit command to report ignored records only if --errors-only is not passed.
  • Make sure to add tests for case-insensitivity etc.

@amstilp amstilp added the discussion Would benefit from group discussion label Sep 26, 2024
@amstilp
Copy link
Contributor Author

amstilp commented Dec 13, 2024
edited
Loading

Change in strategy - audits can have a button in the "not in app" table to ignore errors.

If there are any errors in the "needs action" table, they should not be ignored because there is a record of them in the app. This would still be a problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion Would benefit from group discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amstilp