How to proceed if RBAC prohibits viewing of a key?

[tuxmea]

Should HDM show that access to the key is denied?
Should HDM show nothing?

[TwizzyDizzy]

From a UX perspective it makes sense to:

• let the user know that there is something rather than simply omitting that information silently and thereby sowing confusion
• visually indicate, that they key is there, but cannot be accessed. Suggestion: grey out that key or indicate permission issues by even highlighting it in a signal color like e.g. red

Cheers
Thomas

[rwaffen]

we talked about this already and looked at it from a security perspective: when you are not allowed to see something, you should not know that there is something 🤔 like it is in other products.

[tuxmea]

@TwizzyDizzy many thanks for the comment.
As @rwaffen already mentioned: we had an internal discussion on this topic.

Arguments against showing presence of existing data without access:

• knowing that there is a secret is a security violation
• letting people know that there is a secret which they can not access causes irritation and potentially let people hack around, getting the data.

Arguments for showing that there is a secret without access:

• easy to request access to

We had a look at other tools and we learned that most tools will not show any occurrence of non-accessible data.

Please let us know if you see other reasons on why to show hidden data.

[tuxmea]

No further comment.
@oneiros Solution: show hint: You are either not allowed to access the data or the requested data do not exist.