feat(pam): account policies#5971
Conversation
… account detail page
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Greptile SummaryThis PR introduces PAM account policies — a typed rule system (command blocking, session log masking) that can be attached to accounts and enforced when the gateway fetches session credentials. The implementation follows established PAM patterns: a new Confidence Score: 5/5Safe to merge; all remaining findings are P2 style/naming suggestions that don't affect correctness or security. All P0/P1 concerns (cross-project policy assignment, gateway auth, RE2 usage, migration idempotency) are handled correctly. The four inline comments are P2 style issues: No files require special attention.
|
| Filename | Overview |
|---|---|
| backend/src/db/migrations/20260408014652_pam-account-policies.ts | Adds PamAccountPolicy table and policyId FK column on PamAccount; idempotent up(), but down() drops the table before dropping its trigger (harmless, but unconventional order). |
| backend/src/ee/services/pam-account-policy/pam-account-policy-dal.ts | Simple DAL wrapping ormify; findByProjectId uses void query.whereILike(...) which works but is misleading style. |
| backend/src/ee/services/pam-account-policy/pam-account-policy-service.ts | Full CRUD service with correct project-scoped permission checks and cross-project policy-ID validation on both create and update paths. |
| backend/src/ee/routes/v1/pam-account-policy-router.ts | REST router for policy CRUD with audit logging; sanitizePolicy is only a type cast despite the suggestive name. |
| backend/src/ee/services/pam-account-policy/pam-account-policy-schemas.ts | Uses RE2 for pattern validation (ReDoS-safe); correctly requires at least one rule via refine. |
| backend/src/ee/services/permission/project-permission.ts | Adds ProjectPermissionPamAccountPolicyActions with generic Read/Create/Edit/Delete names; consider more descriptive subject-specific names per project convention. |
| backend/src/ee/services/pam-account/pam-account-service.ts | Correctly validates policyId belongs to the same project on both create and update; getSessionCredentials filters rules by resource type using PAM_ACCOUNT_POLICY_RULE_SUPPORTED_RESOURCES. |
| backend/src/ee/routes/v1/pam-session-router.ts | Adds policyRules field to the session-credentials response; properly typed against PolicyRulesResponseSchema. |
Reviews (1): Last reviewed commit: "docs: added documentation" | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1db7b7f8f0
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…to audit log filter
Keep both PAM account policy events (from this branch) and PAM_ACCOUNT_READ_CREDENTIALS event (from main).
- Use UnstableCard layout matching roles page pattern - Replace table toggle with Enabled/Disabled status badge - Move active toggle to edit sheet only - Allow spaces in policy names (remove slug validation) - Replace resource type icons with text badges - Add tooltip on account form policy field - Style rule cards to match SVR constraint cards - Add dashed empty state for rules section
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 29927633 | Triggered | PostHog Project API Key | 9298abe | docs/docs.json | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
saifsmailbox98
force-pushed
the
saif/pam-149-support-command-blocking-in-pam
branch
from
836c824 to
2532af2
Compare
4 participants
Context
Adds account policies to PAM. Policies contain typed rules (command blocking, session log masking) that can be attached to accounts. When the gateway fetches session credentials, applicable rules are returned based on resource type.
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).