Glossary policy rule not applied correctly #24796
Description
Affected module
Does it impact the UI, backend or Ingestion Framework?
UI
Describe the bug
A clear and concise description of what the bug is.
As a user with a policy that specifically says I am allowed to see only a glossary with a specific tag, I can see all other glossaries existing in the UI.
To Reproduce
Assigned a team (with one user who is only part of that team) to a new role "External Partner" and created a policy for that role, with the below conditions:
Resources: Glossary, Glossary Term
Operations: ViewAll
Effect: Allow
Condition: matchAnyTag('Domain.Finance')
Added the policy to the role, but user can see all glossaries from the list. I have created "Domain" Classification and "Finance" tag and applied it only to a Glossary called "Finance" and "Turnover" glossary term. Glossary term "Turnover had associated terms from a database table and that table inherited the tag.
Screenshots or steps to reproduce
Create a new team called "Team"
Created a new role called "External Partner"
Created a new policy with the conditions above
Create a new Classification called "Domain"
Create a new tag under the above classification called "Finance"
Create a new Glossary called "Finance"
Create a new Glossary term called "turnover" under Finance Glossary
Add "Domain.Finance" tag to Finance Glossary and Turnover Glossary term
Add an user to the "Team" team
Go to Govern -- >Glossary . Other glossaries which don't have that tag are also visibile.
PS: I have tried to add a Deny rule for all Glossaries and glossary terms with >>"NOT matchanytag('Domain.Finance')"<< condition , and I get "No data available" if I access Glossary module. Organization policy is set to Allow "ViewAll" resources. Also, in Settings-->preferences --> Search-->Enable Roles& Policies in Search is enabled.
Expected behavior
A clear and concise description of what you expected to happen.
User with role "External partner" be able to see only Finance glossary under Govern-->Glossary, and under Explore, the database table which contains the Domain.Finance tag
Version:
- OS:
- Python version:
- OpenMetadata version: 1.10.5
- OpenMetadata Ingestion package version:
Additional context
Add any other context about the problem here.
Our use is: we want to open OpenMetadata to an external partner and their users to see only their specific glossaries and other data assets we tag for them with a specific tag.