Projects can only be read via. API as admin

[mreiche]

Current Behavior

I created an Automation user and added the PORTFOLIO_MANAGEMENT permission.
But this user is unable to read all projects like:

https://dtrack.example.com/api/v1/project?pageNumber=1&pageSize=25&excludeInactive=false&onlyRoot=true

-> Result: 5 of 79

As soon as I switch the API key to an Administrator and perform the exact same call:

-> Result: 25 of 79

Steps to Reproduce

1. Have more projects as 25
2. Create an Automation api key with PORTFOLIO_MANAGEMENT
3. Create an Admin api key with all permissions
4. Compare the project search results.

Expected Behavior

I expect that a user with PORTFOLIO_MANAGEMENT is able to read all projects.

Dependency-Track Version

4.13.6

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Do you have the portfolio access control feature enabled? In that case it is intended that users can only see the projects they've been explicitly granted access to.

Admins bypass this restriction, so I assume that's why your admin user can see all projects.

[fvelcker]

I think that is similar/related, I created a discussion a couple of days ago about API keys management being confusing (see #5765) and having the same issue especially in CI/CD context.

But I find out that giving ACCESS_MANAGEMENT allow to access other team projects, which I find a bit odd...

[nscuro]

ACCESS_MANAGEMENT bypasses project-level authorization checks, because with that permission you can give yourself access to everything anyway.

[fvelcker]

Yeah so that doesn't seem right to give that perm to just upload SBOMs from my pipeline.

[nscuro]

It isn't, and it shouldn't be required unless you enable the portfolio access control feature, in which case you need to give teams explicit permission to access projects.

[fvelcker]

Yes, but, in is not very viable in a ci/cd environment.
Currently, correct I am misunderstanding (very possible as I am still learning), we have: one project belongs to one team (that can have multiple API keys), and perms are per team not per key (which i think defeat the point of having multiple keys).

In the my pipeline, I have a job that is uploading the SBOM for each project.

So, for instance, if we have 10 teams for 50 projects, in my pipeline I need to manage and maintain 10 different keys with the upload_sbom perm (which might also not be needed for human users of the team).

If we could have service accounts or have multiple teams per project that would be more manageable.