Affects Version/s: 2.3.0.patch
Fix Version/s: None
From: Redman, Chad
Sent: Wednesday, June 28, 2017 11:44 AM
Subject: Non-wheel privileges for attestation access
We just had our first user get an attestation recertification email, and when they tried to certify, they reported back an error: "etc:attribute:attestation:attestation attribute doesn't exist".
The user actually wasn't an admin for the group, but got the email because the address was explicitly set in the Email addresses field. However, in my testing using a non-wheel account, being an admin for the group is not enough. When I gave my non-wheel user admin privileges, I could reproduce the same error. The only way I could get attestation to work was to grant the user read/update on etc:attribute:attestation:attestationDef and etc:attribute:attestation:attestationValueDef. But this is not desirable, as it now allows the user to edit attestation for any group.
Am I looking at this the wrong way?