Since I have seen VALID system behaviour bugged in the past I wanted to read up on the issue listed in this thread. SW00221647 has a description of the following:
" The form can still be accessed through Mid-Tier directly if Hidden permissions are set on the form. " And currently shows a disposition of: " Converted to RFE " I personally do not see this as a "BUG" or a flaw in the behaviour of the system or client. However I can see an enhancement request for the behaviour of the Remedy clients. ( Such a change would give a false sense of security to some developers, but it might also prevent the need to build workflow to implement such client behaviour too.) -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap.... Pick two. On 11/10/06, shweta kumar <[EMAIL PROTECTED]> wrote:
** I had discussed this issue with Remedy several months back and it was reported as ARSystem bug SW00221647. Shweta Carey Matthew Black <[EMAIL PROTECTED]> wrote: Parikshit, Hidden access is still permission to access. The users can open the form in the User Tool if they are tricky enough, or if you have workflow that does it. (not as easy as changing a URL, but not much harder either.) If the users have access to the data then it is not a security problem for them to see the form or the data that they _ALREADY_ have access to. ( If they should not see the data then look at row level access, or other filter based ways of getting at the data.) If you want to block people from opening a form then you could create Window Open active links that would give an ERROR message and/or close the form for them. ( This might be their last Mid-tier window and might "close the browser" too. Which would make them loose their session with the mid-tier and cause a higher incident of "your already connected from another IP and you can not override that address yet" on the re-login attempts too.) NOTE: Active links will not "protect" data from an API client. But they could block the form from being opened in the Mid-tier client if that is the only place that this logic should be applied. ( or in both the User Tool and Mid-Tier if you want as well.) HTH ARS101 -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap.... Pick two. On 11/10/06, parikshit saxena wrote: > ** > > Hi All > > > We are trying to limit the accesss for a particuler group of user on our > application vies on mid tier 6.3. > The issue here is that the URL can be manipulated now by any user logging > into the application and hence all sensitive data is exposed. > We are trying to give Hidden permissions on the critical forms for this > group, so that data can be accessed from those, but the forms are hidden on > the web client. > But this doesn't seem to work here. > Though the forms are not coming in the object list on ARUser now, but they > are still visible on mid tier (despite of cache flush). > > Would be grateful if someone can provide some insights on this. > > Regards > Parikshit
_______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
