[backend/frontend] protect groups and roles and add FF

opencti-platform/opencti-front/src/private/components/settings/groups/Group.tsx

@@ -63,6 +63,7 @@ const groupFragment = graphql`
     rolesOrderMode: { type: "OrderingMode", defaultValue: asc }
   ) {
     id
+    standard_id
     entity_type
     name
     default_assignation
@@ -124,7 +125,7 @@ const Group = ({ groupData }: { groupData: Group_group$key }) => {
   const classes = useStyles();
   const { t_i18n } = useFormatter();
   const group = useFragment<Group_group$key>(groupFragment, groupData);
-  const { ffenabled, isSensitiveModifAllowed } = useSensitiveModifications();
+  const { ffenabled, isGroupEditionAllowed } = useSensitiveModifications();
   const markingsSort = R.sortWith([
     R.ascend(R.propOr('TLP', 'definition_type')),
     R.descend(R.propOr(0, 'x_opencti_order')),
@@ -156,7 +157,7 @@ const Group = ({ groupData }: { groupData: Group_group$key }) => {
         {group.name}
       </Typography>
       {ffenabled && (
-        isSensitiveModifAllowed
+        isGroupEditionAllowed(group.standard_id)
           ? <div className={classes.popover}>
             <GroupPopover groupId={group.id} />
           </div>
@@ -471,7 +472,7 @@ const Group = ({ groupData }: { groupData: Group_group$key }) => {
         <GroupUsers groupId={group.id} />
       </Grid>
       {ffenabled && (
-        isSensitiveModifAllowed
+        isGroupEditionAllowed(group.standard_id)
           ? <div className={classes.popover}>
             <GroupEdition groupId={group.id} />
           </div>

opencti-platform/opencti-front/src/private/components/settings/roles/Role.tsx

@@ -53,6 +53,7 @@ const useStyles = makeStyles(() => ({
 const roleFragment = graphql`
   fragment Role_role on Role {
     id
+    standard_id
     name
     description
     created_at
@@ -83,7 +84,7 @@ const Role = ({
         : null))
       .filter((n) => n !== null && n !== undefined);
   };
-  const { ffenabled, isSensitiveModifAllowed } = useSensitiveModifications();
+  const { ffenabled, isRoleEditionAllowed } = useSensitiveModifications();
   const role = useFragment<Role_role$key>(roleFragment, roleData);
   const queryRef = useQueryLoading<RoleEditionCapabilitiesLinesSearchQuery>(
     roleEditionCapabilitiesLinesSearch,
@@ -100,7 +101,7 @@ const Role = ({
           {role.name}
         </Typography>
         {ffenabled && (
-          isSensitiveModifAllowed
+          isRoleEditionAllowed(role.standard_id)
             ? <div className={classes.popover}>
               <RolePopover roleId={role.id}/>
             </div>
@@ -183,7 +184,7 @@ const Role = ({
           if (props && props.role) {
             if (ffenabled) {
               return (
-                isSensitiveModifAllowed
+                isRoleEditionAllowed(role.standard_id)
                   ? <RoleEdition
                       role={props.role}
                     />

opencti-platform/opencti-front/src/utils/hooks/useSensitiveModifications.ts

@@ -3,11 +3,36 @@ import useHelper from './useHelper';
 
 const PROTECT_SENSITIVE_CHANGES_FF = 'PROTECT_SENSITIVE_CHANGES';
 
+const ADMINISTRATOR_GROUP_ID = 'group--22abb1ff-6ea9-5833-8bf1-aea5c4c971ce';
+const CONNECTOR_GROUP_ID = 'group--599fc7ab-02f4-50c1-94f9-4b68da122010';
+const DEFAULT_GROUP_ID = 'group--a7991a4f-6192-59a4-87d3-d006d2c41cc8';
+const PROTECTED_GROUPS_IDS = [ADMINISTRATOR_GROUP_ID, CONNECTOR_GROUP_ID, DEFAULT_GROUP_ID];
+
+const ADMINISTRATOR_ROLE_ID = 'role--22abb1ff-6ea9-5833-8bf1-aea5c4c971ce';
+const CONNECTOR_ROLE_ID = 'role--b375ed46-a11c-56d5-a2d4-0c654f61eeee';
+const DEFAULT_ROLE_ID = 'role--a7991a4f-6192-59a4-87d3-d006d2c41cc8';
+const PROTECTED_ROLES_IDS = [ADMINISTRATOR_ROLE_ID, CONNECTOR_ROLE_ID, DEFAULT_ROLE_ID];
+
 const useSensitiveModifications = () => {
   const { me } = useAuth();
   const { isFeatureEnable } = useHelper();
-  // When is_sensitive_changes_allow is not set then it's allowed.
-  return { ffenabled: isFeatureEnable(PROTECT_SENSITIVE_CHANGES_FF), isSensitiveModifAllowed: me.is_sensitive_changes_allow ?? true };
+  const isGroupEditionAllowed = (groupStandardId: string) => {
+    if (me.is_sensitive_changes_allow) {
+      return true;
+    }
+    return !PROTECTED_GROUPS_IDS.includes(groupStandardId);
+  };
+  const isRoleEditionAllowed = (roleStandardId: string) => {
+    if (me.is_sensitive_changes_allow) {
+      return true;
+    }
+    return !PROTECTED_ROLES_IDS.includes(roleStandardId);
+  };
+  return {
+    ffenabled: isFeatureEnable(PROTECT_SENSITIVE_CHANGES_FF),
+    isGroupEditionAllowed,
+    isRoleEditionAllowed,
+  };
 };
 
 export default useSensitiveModifications;

opencti-platform/opencti-graphql/src/modules/attributes/internalObject-registrationAttributes.ts

@@ -347,7 +347,7 @@ const internalObjectsAttributes: { [k: string]: Array<AttributeDefinition> } = {
   [ENTITY_TYPE_ROLE]: [
     { name: 'name', label: 'Name', type: 'string', format: 'short', mandatoryType: 'external', editDefault: true, multiple: false, upsert: false, isFilterable: true },
     { name: 'description', label: 'Description', type: 'string', format: 'text', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: true },
-    { name: 'is_sensitive_changes_allow', label: 'Is sensitive changes allowed', type: 'boolean', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false },
+    { name: 'is_sensitive_changes_allow', label: 'Is sensitive changes allowed', type: 'boolean', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false, featureFlag: 'PROTECT_SENSITIVE_CHANGES' },
   ],
   [ENTITY_TYPE_RULE]: [
     { name: 'active', label: 'Status', type: 'boolean', mandatoryType: 'no', editDefault: false, multiple: false, upsert: true, isFilterable: true }