You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 5, 2023. It is now read-only.
The External Project Access Scanner (referred to hereafter as EPAS) doesn't function the same as other scanners. Consider the following. We are in Organization A with Forseti deployed. A user has access to a project in Organization B. No logs and no API data in Org A expose this fact. Therefore, this information never ends up in Forseti's inventory.
In order to over come this, EPAS iterates over each user in Org A and obtains delegated credentials for each user. Using these delegated credentials, EPAS then queries for a list of projects for which the user has access. This list happens to include projects that or not necessarily in Org A.
This takes an extraordinary amount of time for large organizations. For this reason, EPAS is not included in a periodic run. It must be invoked manually. But this isn't the issue at hand.
The issue is that the CAI may not show a user's relation to projects outside of Org A. This needs to be investigated, confirmed, and hopefully resolved.
The text was updated successfully, but these errors were encountered:
The External Project Access Scanner (referred to hereafter as EPAS) doesn't function the same as other scanners. Consider the following. We are in Organization A with Forseti deployed. A user has access to a project in Organization B. No logs and no API data in Org A expose this fact. Therefore, this information never ends up in Forseti's inventory.
In order to over come this, EPAS iterates over each user in Org A and obtains delegated credentials for each user. Using these delegated credentials, EPAS then queries for a list of projects for which the user has access. This list happens to include projects that or not necessarily in Org A.
This takes an extraordinary amount of time for large organizations. For this reason, EPAS is not included in a periodic run. It must be invoked manually. But this isn't the issue at hand.
The issue is that the CAI may not show a user's relation to projects outside of Org A. This needs to be investigated, confirmed, and hopefully resolved.
The text was updated successfully, but these errors were encountered: