Problem with access privileges: contradiction between defined privileges and actual access

Bruno Vanhecke on May 4, 2011

Hello,

We encountered an important security problem in ARIS (SR2010-08) today. One of the groups in our database structure contains sensitive information. Therefore we defined the access privileges of that group to be accessible only for a few users. All other users have no access (----) defined in their profile.

However it appears that users without access privileges are able to open (thus read) the models within that group.

After checking and double checking the defined privileges, I have to turn to the community to see if somebody has the same problem, has an explanation, has a solution.

thanks in advance.

Bookmark

Notify Moderator

6 Replies

Koen Maes on May 5, 2011 - 08:54

Hi Bruno,

Please select the group and verify the access privileges (in properties). You should see the list of users with for each of them the access they have.

I'm thinking that maybe on a user level you have specified that they don't have access, but these users inherit the access from a user group that they belong to. Maybe a group 'readers' that has been defined and which has read rights on all groups?

regards,
Koen

or register to reply.

Notify Moderator

Bruno Vanhecke Author on May 5, 2011 - 11:37

Hello Koen,

thanks for your response. I considered that possibility and checked in all possible ways. But there is nothing defined, nor in user properties, nor in user groups to grant the access.

So you can understand that I'm in trouble.

regards

Bruno

or register to reply.

Notify Moderator

Anita Halse on May 5, 2011 - 12:37

Hi Bruno,

Can you perhaps post a screendump of the revant group as well as the user group associated with it?

Regards,

Anita

or register to reply.

Notify Moderator

Bruno Vanhecke Author on May 5, 2011 - 14:29

Hi,

here's a screemdump of the properties of the group with part of the list of the users. I highlighted two users. The first one has no privileges but is able to open the models in the group.The second person is part of a usergroup that has access privileges to the group and the models therein.

regards

or register to reply.

Notify Moderator

Brian Toops on May 9, 2011 - 15:47

Hi Bruno,

We recently upgraded from version 7.1 SR5 to SR9 and were also awaiting a bug fix in the permissions area, but it was different than your issue. We use LDAP (DS) for our authentication mechanism and our bug was specific to using LDAP.

Our problem we were having was that users/groups that had the "delete" permission bit could not delete folders in the ARIS folder structure, even though we had the permissions properly. Our workaround was to make certain users System Users so they could delete folders, but your prolem is even worse, as you essentially have loose control to restrict permissions.

So if you are using LDAP, maybe these issues are related? If I remember right, I'm fairly certain our bug was fixed in the SR8-SR9 release, so maybe your issue was also fixed as a result?

Sorry I can't provide much more help for your issue here, but just wanted to mention our similar permissions problem back in SR5.

Regards,

Brian Toops

Cargill, Inc.

ARIS System Analyst

or register to reply.

Notify Moderator

Rudollf Domingues on June 1, 2011 - 14:57 as Reply to Miguel Angel Barón Romero

Hi Bruno,

First of all, sorry for my english I´m still learnning.

Did you check if the object definition of these models was only stored inside the group that you wanna block access.

If for some reason the object definition was saved in other group and the user has access to this group he will be able to see the occurrence copy in any part of the database.

Regards

Rudollf

or register to reply.

Notify Moderator