Profile picture for user vanheckeb

Hello,

We encountered an important security problem in ARIS (SR2010-08) today. One of the groups in our database structure contains sensitive information. Therefore we defined the access privileges of that group to be accessible only for a few users. All other users have no access (----) defined in their profile.

However it appears that users without access privileges are able to open (thus read) the models within that group.

After checking and double checking the defined privileges, I have to turn to the community to see if somebody has the same problem, has an explanation, has a solution.

thanks in advance.

 

by Koen Maes
Posted on Thu, 05/05/2011 - 08:54

Hi Bruno,

Please select the group and verify the access privileges (in properties). You should see the list of users with for each of them the access they have.

I'm thinking that maybe on a user level you have specified that they don't have access, but these users inherit the access from a user group that they belong to. Maybe a group 'readers' that has been defined and which has read rights on all groups?

regards,
Koen

0
by Bruno Vanhecke Author
Posted on Thu, 05/05/2011 - 11:37

Hello Koen,

thanks for your response. I considered that possibility and checked in all possible ways. But there is nothing defined, nor in user properties, nor in user groups to grant the access.

So you can understand that I'm in trouble.

regards

Bruno

0
by Rudollf Domingues
Posted on Wed, 06/01/2011 - 14:57

In reply to by miguel.baron

Hi Bruno,

 

First of all, sorry for my english I´m still learnning.

 

Did you check if the object definition of these models was only stored inside the group that you wanna block access.

If for some reason the object definition was saved in other group and the user has access to this group he will be able to see the occurrence copy in any part of the database.

Regards

Rudollf 

0
by Anita Halse
Posted on Thu, 05/05/2011 - 12:37

Hi Bruno,

 

Can you perhaps post a screendump of the revant group as well as the user group associated with it?

 

Regards,

Anita

0
by Bruno Vanhecke Author
Posted on Thu, 05/05/2011 - 14:29

Hi,

here's a screemdump of the properties of the group with part of the list of the users. I highlighted two users. The first one has no privileges but is able to open the models in the group.The second person is part of a usergroup that has access privileges to the group and the models therein.

regards

0
by Brian Toops
Posted on Mon, 05/09/2011 - 15:47

Hi Bruno,

We recently upgraded from version 7.1 SR5 to SR9 and were also awaiting a bug fix in the permissions area, but it was different than your issue. We use LDAP (DS) for our authentication mechanism and our bug was specific to using LDAP.

Our problem we were having was that users/groups that had the "delete" permission bit could not delete folders in the ARIS folder structure, even though we had the permissions properly. Our workaround was to make certain users System Users so they could delete folders, but your prolem is even worse, as you essentially have loose control to restrict permissions.

So if you are using LDAP, maybe these issues are related? If I remember right, I'm fairly certain our bug was fixed in the SR8-SR9 release, so maybe your issue was also fixed as a result?

Sorry I can't provide much more help for your issue here, but just wanted to mention our similar permissions problem back in SR5.

Regards,

Brian Toops

Cargill, Inc.

ARIS System Analyst

0

Featured achievement

Genius
You like to help others solve their problems by answering questions.
Recent Unlocks
  • KF
  • KH
  • RG
  • Profile picture for user Vee_ARIS
  • Profile picture for user smarty
  • PacMan

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock