Thehive: User groups (multi-tenancy)

Created on 25 Jan 2017  Â·  23Comments  Â·  Source: TheHive-Project/TheHive

Request Type

Feature Request

Work Environment

| OS version (server) | Ubuntu
| TheHive version / git hash | 2.9.1

Problem Description

I would like to ask for the possibility to let a user (or a group of users) to access only cases with a set of given tags.
For example, a user "X" shall be allowed to see (and modify) only cases with tag "Y", "Z"
Thank you

feature request

Most helpful comment

Update: we have decided to make this happen sooner than later. It is now scheduled for 3.1 (Cerana 1) due sometime in April 2018.

All 23 comments

It could be useful to restrict analyzer access, too.

Hi, I do not really get the tags idea.
Who will be settings the tags?

From my original request:
Is there a way to get users permissions organized in groups comparable to MISP - organizations based?
Is there a user groups management concept?
Is there a case integrity concept? Limited access to the tickets that owned by one group from another and notification of the ticket author about changes to the ticket from another investigator.

@MariasStory this is not implemented, yet. So currently there's no way to restrict access to specific cases etc.

Here is my comment on #162:

We are against creating yet another level below the case level. Instead, we'd study adding custom tags according to a taxonomy that would allow you to achieve the same results. For example shared:all, shared:groupX, ...

As for user/roles, that won't come before 3.0 slated for Q4 2017. We'll track this in #103.

So @MariasStory:

  • _Who will be settings the tags?_ You, according to your needs, using a taxonomy (see above).
  • _Is there a way to get users permissions organized in groups comparable to MISP - organizations based?_ We have no current plans of using MISP-like organizations to share cases between two or more TheHive instances. However, if the goal is to solely manage case access per user/group, then this is a feature slated for 3.0 slated for Q4 2017.
  • _Is there a user groups management concept?_ No. That will come with 3.0.
  • _Is there a case integrity concept? Limited access to the tickets that owned by one group from another and notification of the ticket author about changes to the ticket from another investigator._ Besides the real-time stream, there's an audit trail that will let you see every action ever made to TheHive. Admittedly, it is not easy to query and read for the layman so we will be providing an easy way to query and monitor it.

Hi @3c7 I kind of got this idea. From what I see is that the project is over-complicated and over-planned. The use of Scala requires compilation, that is (in contrast to node.js/python in worse case php) limiting factor for effective collaboration in development and fast patching.
I would not mind, if this would be a mature solution and there was a question of adding simple/convenience feature. In this case, we are implementing the solution on a large scale. We would not mind professional support, but it should be a responsive and open-minded team able to implement features as needed.

Don't get me wrong, I do appreciate the effort and willing to help.

At the moment, I suggest to have the integrity checks and make the development as dynamic as possible. Don't wait till Q4. Ask for help, if you need it, and get it done.

There is a big potential in the solution and at worst the active developers may get a good position with this experience. Make this project great and bring it to industry.

I suggest to get example from Radare2 community. They solve problems over night and their builds never break.

I am sorry to waist my time for writing this comment, I would prefer give you ready solution. This, on another hand would mean to much effort from my side with the current configuration.

Please, make a list of tasks that have to be done and try to subdivide the tasks as granular as it can be done. Try to involve as many programmers/supporters as you can and get this project going.

Is there something that I miss?

Hi @MariasStory. I am sorry to learn that you find our project over-complicated and over-planned. We are striving to make rock-solid products that may match if not surpass some commercial alternatives that cost 80K€+ a year.

We have chosen Scala for the back-end for many reasons and we do not intend to use node.js/python or PHP anytime soon.

While implementing user/group management might seem to you an easy feature, we think otherwise and we have a clear vision of where we are going with the product while listening, as we have shown many times, to our user community requests. Nonetheless, if you'd like to contribute, please feel free to do so. That being said, we'd prefer security professionals to concentrate on bringing real value to the community by contributing analyzers, which they can write in any programming language supported by Linux.

Since you've mentioned professional support (which comes at a cost), please do not hesitate to contact us on support at thehive-project dot org if you have business in mind.

If you still feel unsatisfied, and as much as we'd like to see our products used as widely as possible to help bring a dent into cybercrime, please do not hesitate to look for commercial or open source alternatives that better suit your needs.

Regards,

I also would be very happy to be able to control access to certain cases.

Do you think deadbolt could be a good candidate solution to implement it?

Best regards,

Updating my comment below:

  • _Is there a user groups management concept?_ No. That will come with 4.2 and not 3.0 as initially planned. That being said, we'll strive to make it happen earlier.

Update: we have decided to make this happen sooner than later. It is now scheduled for 3.1 (Cerana 1) due sometime in April 2018.

Hello,

My 2cts on implementing it using tags: this would indeed automate the tagging from alerts when they are create by hive4py but this could be prone to errors (ex: case is related to team1 but concerns a project which also appears to be team2's name).

Would it be possible to use a dedicated field like like "group" or "tenant" to handle this and be able to set this field in alerts from the API and propagate it to cases?

Thank you

Just curious if there's been any progress on this particular feature. I've been eyeing this product for our team, however lack of case specific permissions is a non-starter for us to pick up this product.

Still on track for Cerana 1 (3.1), initially planned TBR Apr 2018 and delayed to July 2018.

The feature is more complex to implement than initially thought. We will explain how is it so in a blog post pretty soon so you can understand why it was delayed to Cerana 2 (TheHive 3.2.0). Once the blog post is online, feel free to contact us if you are able to help. I will add the link as a comment to this issue.

I have seen that Cerana 2 Beta is announced. Any idea on this specific feature. I'm on the edge of migrating all my archived Cases to this and Just waiting for this feature. BTW thanks a lot guys for an amazing product.

I would be very interested on the current status and potential release date of this feature. We are considering which IRP to use and we like the product but the ability to restrict access is a deciding factor for us.

There's also a blog post (https://blog.thehive-project.org/2018/06/27/the-mind-boggling-implications-of-multi-tenancy/) explaining why it's complicated to implement. Howewer, it's announced for October 2018 at the moment.

+1 cannot wait for this feature to come!

Guys, do you have any info on the feature realization?

Saad,

I'm excited about multi-tenancy (RBAC) on theHive! Should be later this month right?

Nope this feature has been delayed to next year. It requires heavy lifting and we only have so much dev time.

Hey Saad and team,
Just checking here, is RBAC slated for any particular version of theHive this year ? ( understand that this is heavy dev, hence just checking to see if it's still on the roadmap) .

Hi,

i am really interested too in this feature. have we got news about it?

Hi,

I also need this feature. Any news?

Was this page helpful?
0 / 5 - 0 ratings