Imperva Cyber Community

communities_1.jpg
 View Only

Many parent-site policies default to being editable by sub-account admins

  • 1.  Many parent-site policies default to being editable by sub-account admins

    Posted 11-21-2022 11:51
    We have a larger parent account with a number of smaller sub-accounts. We've recently begun looking into sub-account permissioning, and discovered that all of the "edit policy" type permissions grant a sub-account user to edit all policies visible to the sub-account.

    It's not clear to me under what circumstances a policy is set as "available for all sub accounts" vs. "available to specific sub-accounts," but most of our policies are "available to all sub accounts," including some that I was under the impression that I was creating within a particular sub-account. This means that a user in a sub-account with "edit policy" permissions can edit policies that apply to sites in the parent account or other sub-accounts.

    I reached out to Imperva about this, and was told,
    I understand your concern.
    Sadly, this is by design, since we have already erected the alert banner for users to be careful.

    While there is an alert banner, it's only visible to the user who already has the permission; it's not clear, either in the UI or in the documentation, when an admin is assigning permissions to sub-account users, that this is possible. (And if this permission caused an incident, our customers would not be satisfied with "Oh, but there was an alert banner!" as a systemic control to prevent it.)

    Obviously the solution in this instance is to clean up our policies so that they're only available to specific sub-accounts, but I really do not like that this is the default behavior.
    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Miriam Roberts
    Systems Engineer
    NGP VAN
    Washington DC
    ------------------------------