Hello,
We encountered an important security problem in ARIS (SR2010-08) today. One of the groups in our database structure contains sensitive information. Therefore we defined the access privileges of that group to be accessible only for a few users. All other users have no access (----) defined in their profile.
However it appears that users without access privileges are able to open (thus read) the models within that group.
After checking and double checking the defined privileges, I have to turn to the community to see if somebody has the same problem, has an explanation, has a solution.
thanks in advance.
Hi Bruno,
Please select the group and verify the access privileges (in properties). You should see the list of users with for each of them the access they have.
I'm thinking that maybe on a user level you have specified that they don't have access, but these users inherit the access from a user group that they belong to. Maybe a group 'readers' that has been defined and which has read rights on all groups?
regards,
Koen
Hi Bruno,
First of all, sorry for my english I´m still learnning.
Did you check if the object definition of these models was only stored inside the group that you wanna block access.
If for some reason the object definition was saved in other group and the user has access to this group he will be able to see the occurrence copy in any part of the database.
Regards
Rudollf
Hi,
here's a screemdump of the properties of the group with part of the list of the users. I highlighted two users. The first one has no privileges but is able to open the models in the group.The second person is part of a usergroup that has access privileges to the group and the models therein.
regards
.jpg)
Hi Bruno,
We recently upgraded from version 7.1 SR5 to SR9 and were also awaiting a bug fix in the permissions area, but it was different than your issue. We use LDAP (DS) for our authentication mechanism and our bug was specific to using LDAP.
Our problem we were having was that users/groups that had the "delete" permission bit could not delete folders in the ARIS folder structure, even though we had the permissions properly. Our workaround was to make certain users System Users so they could delete folders, but your prolem is even worse, as you essentially have loose control to restrict permissions.
So if you are using LDAP, maybe these issues are related? If I remember right, I'm fairly certain our bug was fixed in the SR8-SR9 release, so maybe your issue was also fixed as a result?
Sorry I can't provide much more help for your issue here, but just wanted to mention our similar permissions problem back in SR5.
Regards,
Brian Toops
Cargill, Inc.
ARIS System Analyst
