Roles are unexpectedly unassigned from users when synchronizing Kenna users with AD users #449
Description
Customers have the option of synchronizing Kenna users/roles with AD users/groups with the Kenna Security Toolkit.
However, synchronizing Kenna users/roles with AD users/groups has the unexpected side-effect of removing any roles that aren't based on AD group memberships (i.e. any roles that aren't provided in the input CSV file).
As a result, customers cannot use automatically manually created roles in conjunction with automatically created roles.
The problem has to do with how roles are granted to users in toolkit/tasks/utilities/user_role_sync/user_role_sync.rb.
Here we can see that users will be assigned roles based exclusively on the content of the input CSV file (i.e. any existing roles not present in the CSV file will be removed):
CSV.open(csv_file_path, "r:bom|utf-8", headers: true) do |csv|
csv.each do |row|
email_address = row[@email_col].downcase
first_name = row[@firstname_col]
last_name = row[@lastname_col]
role_array = row[@role_col].split(",").map(&:strip)
...
if user_exists(email_address)
...
update_user(@user_id.to_s, first_name, last_name, email_address, role_array)
else
...
create_user(first_name, last_name, email_address, role_array)
end
sleep(2)
...
end
end
...
def update_user(uid, fname, lname, email, role_array)
...
json_data = {
"user" => {
"firstname" => fname,
"lastname" => lname,
"email" => email,
"roles" => role_array
}
}
...
begin
RestClient::Request.execute(
method: :put,
url:,
payload: json_data,
headers: @headers
)
...To fix this, you could look up the list of roles assigned to each user via Kenna's API before updating the roles assigned to that user.