Headline:
Setting to default newly found resources (such as when you add a vCenter Portgroup, a new Network Domain or IP Pool in IPAM, etc) that will default the permissions to the newly found resources to “None” instead of the “All” group as Morpheus does now
Description:
Currently, when a new Portgroup is added to vCenter, or a new IP pool or Network Domain added to an external IPAM source such as EfficientIP, Morpheus discovers this during its sync and will default to having the permission of “All” checked. This presents the issue where users are then able to utilize said resource even if they should not be able to due to the default permissions being set.
Example/Use case(s):
Log into vCenter, create a new portgroup within a virtual switch
Wait for Mopheus to sync against vCenter
When the sync has completed, impersonate a standard level user where you have granular permissions put in place around what “Network(s)” they can build against, and you’ll see the newly discovered VMware portgroup shows.
If you check the permissions on said network in the Infrastructure → Networks area you’ll see under “Group Access” that the box beside “all” is checked automatically when discovered
A setting allowing you to default to “none” would provide the ability to follow the "least required privilege flow and prevent granting default access to resources users should not have by default