From 6146c1243c0af038b163584fa978ad4aa0aab35f Mon Sep 17 00:00:00 2001 From: mdueltgen <148897369+mdueltgen@users.noreply.github.com> Date: Thu, 31 Oct 2024 16:21:18 -0400 Subject: [PATCH 1/2] Removing Groups 7.1 --- baselines/groups.md | 42 +------------------ .../GWS Drift Monitoring Rules - Groups.csv | 3 +- 2 files changed, 2 insertions(+), 43 deletions(-) diff --git a/baselines/groups.md b/baselines/groups.md index 40c3c7e0..ccbfef4b 100644 --- a/baselines/groups.md +++ b/baselines/groups.md @@ -16,7 +16,6 @@ This baseline is based on Google documentation available at [Google Workspace Ad - [Group Creation](#4-group-creation) - [Default Permissions for Viewing Conversations](#5-default-permissions-for-viewing-conversations) - [Ability to Hide Groups from the Directory](#6-ability-to-hide-groups-from-the-directory) -- [New Groups](#7-new-groups) Settings can be assigned to certain users within Google Workspace through organizational units, configuration groups, or individually. Before changing a setting, the user can select the organizational unit, configuration group, or individual users to which they want to apply changes. @@ -259,43 +258,4 @@ To configure the settings for Sharing options: 3. Select **Sharing settings** -\> **Sharing options**. 4. **Uncheck** the **Group owners can hide groups from the directory** checkbox. 5. **Ensure** that the **hide newly created groups from the directory** checkbox is not selected. -6. Select **Save**. - -## 7. New Groups - -This section covers the access type setting for new groups that are created. - -### Policies - -#### GWS.GROUPS.7.1v0.3 -New Groups SHOULD be created with an Access type of Restricted unless necessary for agency mission fulfillment. - -- _Rationale:_ Groups may contain private or sensitive information not appropriate for the entire Google Workspace organization. Restricting access to group members reduces the risk of data loss. -- _Last modified:_ July 10, 2023 - -- MITRE ATT&CK TTP Mapping - - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/) - - [T1069: Permission Groups Discovery](https://attack.mitre.org/techniques/T1069/) - - [T1069:003: Permission Groups Discovery: Cloud Groups](https://attack.mitre.org/techniques/T1069/003/) - -### Resources - -- [Google Workspace Admin Help: Create a group in your organization](https://support.google.com/a/answer/9400082?hl=en&fl=1&sjid=14580240338213574276-NC) - -### Prerequisites - -- This control only applies to agencies with Google Groups for Business enabled. - -### Implementation - -#### GWS.GROUPS.7.1v0.3 Instructions -To configure Access type for a Google Group: - -1. Sign in to the [Google Admin Console](https://admin.google.com). -2. Select **Directory** -\> **Groups.** -3. Select **Create group.** -4. Fill in the details for the new group and click **Next.** -5. In the **Access type** section, select the **Restricted** radio button. -6. If the group needs to receive messages from non-members, select the appropriate checkboxes in the **Who can post** row. -7. Select **Next.** -8. Select **Create Group.** +6. Select **Save**. \ No newline at end of file diff --git a/drift-rules/GWS Drift Monitoring Rules - Groups.csv b/drift-rules/GWS Drift Monitoring Rules - Groups.csv index b05f0ec4..5b24586f 100644 --- a/drift-rules/GWS Drift Monitoring Rules - Groups.csv +++ b/drift-rules/GWS Drift Monitoring Rules - Groups.csv @@ -4,5 +4,4 @@ GWS.GROUPS.2.1v0.3,Group owners’ ability to add external members to groups SHO GWS.GROUPS.3.1v0.3,"Group owners’ ability to allow posting to a group by an external, non-group member SHOULD be disabled unless necessary for agency mission fulfillment.",Admin Log Event,Change Application Setting,GroupsSharingSettingsProto owners_can_allow_incoming_mail_from_public,false,rules/00gjdgxs0lw54bd,JK 08-01-23 @ 14:52 GWS.GROUPS.4.1v0.3,Group creation SHOULD be restricted to admins within the organization unless necessary for agency mission fulfillment.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto who_can_create_groups,ADMIN_ONLY,rules/00gjdgxs35vsmz6,JK 08-01-23 @ 15:06 GWS.GROUPS.5.1v0.3,The default permission to view conversations SHALL be set to All Group Members.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto default_view_topics_access_level,MEMBERS,rules/00gjdgxs24dq6r2,JK 08-01-23 @ 15:14 -GWS.GROUPS.6.1v0.3,Group owners’ ability to hide groups from the directory SHOULD be disabled unless necessary for agency mission fulfillment.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto allow_unlisted_groups,false,rules/00gjdgxs0zbb0ae,JK 08-01-23 @ 15:22 -GWS.GROUPS.7.1v0.3,New Groups SHOULD be created with an Access type of Restricted unless necessary for agency mission fulfillment.,N/A,N/A,N/A,N/A,N/A,Not Alertable \ No newline at end of file +GWS.GROUPS.6.1v0.3,Group owners’ ability to hide groups from the directory SHOULD be disabled unless necessary for agency mission fulfillment.,Admin Log Event,Change Application Setting,GroupsSharingSettingsProto allow_unlisted_groups,false,rules/00gjdgxs0zbb0ae,JK 08-01-23 @ 15:22 \ No newline at end of file From 70ed99efeec871c47f7dbe6a12604b2921f837e2 Mon Sep 17 00:00:00 2001 From: buidav <105074908+buidav@users.noreply.github.com> Date: Thu, 31 Oct 2024 16:44:20 -0700 Subject: [PATCH 2/2] rm GWS.GROUPS.7 --- Testing/RegoTests/groups/groups07_test.rego | 399 -------------------- rego/Groups.rego | 81 ---- 2 files changed, 480 deletions(-) delete mode 100644 Testing/RegoTests/groups/groups07_test.rego diff --git a/Testing/RegoTests/groups/groups07_test.rego b/Testing/RegoTests/groups/groups07_test.rego deleted file mode 100644 index 934d1159..00000000 --- a/Testing/RegoTests/groups/groups07_test.rego +++ /dev/null @@ -1,399 +0,0 @@ -package groups -import future.keywords - - -# -# Policy 1 -#-- -test_Group_Correct_V1 if { - # Test one group that is correct - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all groups." -} - -test_Group_Correct_V2 if { - # Test multiple groups that are correct - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - { - "email": "admin2@example.org", - "name": "Group 2", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all groups." -} - -test_Group_Correct_V3 if { - # Test no groups - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "group_settings": [ - - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "No groups found in Organization." -} - -test_Group_Correct_V4 if { - # In cases where Groups 6.1 is compliant, Groups 7.1 should be automatically compliant, - # even if "allowExternalMembers" is set to true. - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "groups_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "GroupsSharingSettingsProto allow_unlisted_groups"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - }, - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "true", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all groups." -} - -test_Group_Correct_V5 if { - # If Groups 6.1 is compliant test for multiple groups - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "groups_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "GroupsSharingSettingsProto allow_unlisted_groups"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - }, - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "true", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - { - "email": "admin2@example.org", - "name": "Group 2", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all groups." -} - -test_Group_Correct_V6 if { - # If Groups 6.1 is noncompliant, Groups 7.1 must have restricted access type to be compliant - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "groups_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "Some other value"}, - {"name": "NEW_VALUE", "value": "false"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - }, - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement met in all groups." -} - -test_Group_Incorrect_V1 if { - # Test one group that is incorrect - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "true", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Group 1." -} - -test_Group_Incorrect_V2 if { - # Test multiple groups where 1 is incorrect - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - { - "email": "admin2@example.org", - "name": "Group 2", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ALL_MEMBERS_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Group 2." -} - -test_Group_Incorrect_V3 if { - # Test multiple groups where both are incorrect - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "ANYONE_CAN_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - { - "email": "admin2@example.org", - "name": "Group 2", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MANAGERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ALL_MEMBERS_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Group 1, Group 2." -} - -test_Group_Incorrect_V4 if { - # Test multiple groups where both are incorrect in multiple ways - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_OWNERS_CAN_VIEW", - "whoCanModerateMembers": "NONE", - "allowExternalMembers": "false", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - { - "email": "admin2@example.org", - "name": "Group 2", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "false", - "whoCanPostMessage": "NONE_CAN_POST", - "whoCanContactOwner": "ALL_IN_DOMAIN_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Group 1, Group 2." -} - -test_Group_Incorrect_V5 if { - # If ability for groups to be hidden is enabled, then Groups 7.1 should be disabled - PolicyId := "GWS.GROUPS.7.1v0.3" - Output := tests with input as { - "groups_logs": {"items": [ - { - "id": {"time": "2022-12-20T00:02:28.672Z"}, - "events": [{ - "parameters": [ - {"name": "SETTING_NAME", "value": "GroupsSharingSettingsProto allow_unlisted_groups"}, - {"name": "NEW_VALUE", "value": "true"}, - {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"}, - ] - }] - } - ]}, - "tenant_info": { - "topLevelOU": "" - }, - "group_settings": [ - { - "email": "admin1@example.org", - "name": "Group 1", - "whoCanJoin": "CAN_REQUEST_TO_JOIN", - "whoCanViewMembership": "ALL_MEMBERS_CAN_VIEW", - "whoCanViewGroup": "ALL_MEMBERS_CAN_VIEW", - "whoCanModerateMembers": "OWNERS_AND_MANAGERS", - "allowExternalMembers": "true", - "whoCanPostMessage": "ALL_MEMBERS_CAN_POST", - "whoCanContactOwner": "ANYONE_CAN_CONTACT" - }, - ] - } - - RuleOutput := [Result | some Result in Output; Result.PolicyId == PolicyId] - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - not RuleOutput[0].NoSuchEvent - RuleOutput[0].ReportDetails == "Requirement failed in Group 1." -} -#-- \ No newline at end of file diff --git a/rego/Groups.rego b/rego/Groups.rego index 72107b9f..3ad17ded 100644 --- a/rego/Groups.rego +++ b/rego/Groups.rego @@ -375,85 +375,4 @@ if { count(Events) > 0 Status := count(NonCompliantOUs6_1) == 0 } -#-- - -################ -# GWS.GROUPS.7 # -################ - -# -# Baseline GWS.GROUPS.7.1v0.3 -#-- -NonCompliantGroups7_1 contains Group.name if { - CheckGroups6_1Compliance(LogEvents, NonCompliantOUs6_1) == false - some Group in input.group_settings - Group.whoCanJoin != "CAN_REQUEST_TO_JOIN" -} - -NonCompliantGroups7_1 contains Group.name if { - CheckGroups6_1Compliance(LogEvents, NonCompliantOUs6_1) == false - some Group in input.group_settings - Group.whoCanViewMembership != "ALL_MEMBERS_CAN_VIEW" -} - -NonCompliantGroups7_1 contains Group.name if { - CheckGroups6_1Compliance(LogEvents, NonCompliantOUs6_1) == false - some Group in input.group_settings - Group.whoCanViewGroup != "ALL_MEMBERS_CAN_VIEW" -} - -NonCompliantGroups7_1 contains Group.name if { - CheckGroups6_1Compliance(LogEvents, NonCompliantOUs6_1) == false - some Group in input.group_settings - Group.whoCanModerateMembers != "OWNERS_AND_MANAGERS" -} - -NonCompliantGroups7_1 contains Group.name if { - CheckGroups6_1Compliance(LogEvents, NonCompliantOUs6_1) == false - some Group in input.group_settings - Group.allowExternalMembers != "false" -} - -NonCompliantGroups7_1 contains Group.name if { - CheckGroups6_1Compliance(LogEvents, NonCompliantOUs6_1) == false - some Group in input.group_settings - Group.whoCanPostMessage != "ALL_MEMBERS_CAN_POST" -} - -NonCompliantGroups7_1 contains Group.name if { - CheckGroups6_1Compliance(LogEvents, NonCompliantOUs6_1) == false - some Group in input.group_settings - Group.whoCanContactOwner != "ANYONE_CAN_CONTACT" -} - -# if there are no groups, it has to be safe. -tests contains { - "PolicyId": "GWS.GROUPS.7.1v0.3", - "Prerequisites": ["directory/v1/domains/list", "directory/v1/groups/list", "groups-settings/v1/groups/get"], - "Criticality": "Should", - "ReportDetails": utils.NoGroupsDetails(Groups), - "ActualValue": utils.NoGroupsDetails(Groups), - "RequirementMet": true, - "NoSuchEvent": false -} -if { - Groups := {Group.email | some Group in input.group_settings} - count(Groups) == 0 -} - -# if there are groups -tests contains { - "PolicyId": "GWS.GROUPS.7.1v0.3", - "Prerequisites": ["directory/v1/domains/list", "directory/v1/groups/list", "groups-settings/v1/groups/get"], - "Criticality": "Should", - "ReportDetails": utils.ReportDetailsGroups(NonCompliantGroups7_1), - "ActualValue": {"NonCompliantGroups": NonCompliantGroups7_1}, - "RequirementMet": Status, - "NoSuchEvent": false -} -if { - Groups := {Group.email | some Group in input.group_settings} - count(Groups) > 0 - Status := count(NonCompliantGroups7_1) == 0 -} #-- \ No newline at end of file