Allowing Remediation Owner users to create their own custom VUL Remediation Tasks

Joe Kline · ‎11-28-2023

Hey everybody.

We are investigating the best way to allow a user with the Remediation Owner role to be able to create a custom Remediation Task without just opening everything up and giving everybody the write_all role. Based on the ACLs and UI Button conditions, it seems that is what is required for the "New" button to be available out on the Remediation Task list view.

Does anybody out there do this kind of thing, and if so what was the choice of actions and direction taken to implement?

Thanks, in advance, for all input and dialog.

Joe Kline · ‎11-28-2023

Yes, we have the Assigned to Me and Assigned to My Groups module links visible to Remediation Owners in both Vulnerable Items and Remediation Tasks - we will add this to our investigation for sure. Thanks for the hidden tidbit, Andy.

paul_gerigk · ‎11-29-2023

I dont think its a good idea to allow remediation owners creation own VUL Remediation Tasks.
Reason: Remediation Owners getting in addition access to Vulnerable Items when there are assigned to (meaning assigned_to field) a remediation tasks, even when not assigned to vulnerable items. So every Remediation Owner could then grant himself access to all Vulnerable Items in the system.
Better way is to identify needs for Remediation Tasks with VUL Analysts and let them create those tasks and/or Watch Topic -> Remediation Efforts -> Remediation Tasks.

Joe Kline · ‎11-29-2023

Thanks, Paul. This too is a valid idea and thought. Rather than open access to MANY remediation owners, just increase the number of people involved in reacting to the requests (help eliminate our team as the bottleneck) and result in no changes/technical debt at all. Appreciate the suggestion!