Security bug in Search of ARIS Connect ??

Hello Isidre,

your description is a bit awkward - maybe resulting from a misunderstanding:

ARIS Connect and ARIS Architect are client products. They have nothing to do with the authorizations to resources a user has received. In fact: The same user should see the same content whether he uses ARIS Connect Portal or ARIS Architect.

Access to content is based on groups (let me call them "folders" for now in order to avoid mixing them with the term "user group") of the database. Each folder knows a set of access permissions. Every user or user group (as defined in the UMC) can be granted permissions such as RW for each single folder. A user that is a member of a user group gets all permissions granted to this user group as well as the permissions granted to him individually. If he is a member of multiple user groups, his permissions add up from all those.

So in the Connect Portal Search the user will see results from all groups where he has at least a read permission - either individually or through at least one of the user groups he is a member of.

If you have a user, who has the "system" privilege on the database or who has the function privilege "Database administrator" on the ARIS tenant, he can see the entire content of the database - no matter which privileges were assigned to him individually or via user groups.

I hope this clarifies things a little bit. It always boils down to the question of which privileges the individual user has for a particular database folder where the object in question (object or model) resides.

Regards,

M. Zschuckelt

Thanks for your comments.

Possibly my English is less than correct and I have not explained myself adequately.
The problem detected is:
The DB is given rw permissions using ARIS Connect.
Subsequently, some folders in the DB are withdrawn permissions (--- using ARIS Architect as system)
Using the ARIS Connect search, it is possible to see models located in the excluded folders, but the excluded folders are not displayed in the folder view on the left.

Regards

Hello Isidre,

I suppose in Connect you used the "Database permissions" to grant the permissions to some user or user group?

In this case these permissions for this user or user group were written to all database groups (folders).

Next assumption: You removed the permission for the same user or user group using Architect on those excluded folders. Is it possible that these folders have further subfolders where you did not revoke those read/write permissions and that the artifacts found in the search are contained in those?

If you want to apply a change of permissions to an entire sub-tree of folders, you have to select "pass on privileges" in the Architect dialogue when you remove the permission from the root folder of the folder structure you want to change.

Does this help?

Regards, M. Zschuckelt

Thank you,
we had a wrong configuration
Best regards