List, Thanks all for your inputs. Yes, we have also zeroed on the idea of popping an error on form access.
Regards Parikshit ----- Original Message ---- From: Carey Matthew Black <[EMAIL PROTECTED]> To: [email protected] Sent: Sunday, 12 November, 2006 5:07:00 AM Subject: Re: Form Permissions issue on mid tier Since I have seen VALID system behaviour bugged in the past I wanted to read up on the issue listed in this thread. SW00221647 has a description of the following: " The form can still be accessed through Mid-Tier directly if Hidden permissions are set on the form. " And currently shows a disposition of: " Converted to RFE " I personally do not see this as a "BUG" or a flaw in the behaviour of the system or client. However I can see an enhancement request for the behaviour of the Remedy clients. ( Such a change would give a false sense of security to some developers, but it might also prevent the need to build workflow to implement such client behaviour too.) -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap.... Pick two. On 11/10/06, shweta kumar <[EMAIL PROTECTED]> wrote: > ** > I had discussed this issue with Remedy several months back and it was > reported as ARSystem bug SW00221647. > > Shweta > > Carey Matthew Black <[EMAIL PROTECTED]> wrote: > Parikshit, > > Hidden access is still permission to access. The users can open the > form in the User Tool if they are tricky enough, or if you have > workflow that does it. (not as easy as changing a URL, but not much > harder either.) > > If the users have access to the data then it is not a security problem > for them to see the form or the data that they _ALREADY_ have access > to. ( If they should not see the data then look at row level access, > or other filter based ways of getting at the data.) > > > If you want to block people from opening a form then you could create > Window Open active links that would give an ERROR message and/or close > the form for them. ( This might be their last Mid-tier window and > might "close the browser" too. Which would make them loose their > session with the mid-tier and cause a higher incident of "your already > connected from another IP and you can not override that address yet" > on the re-login attempts too.) > > NOTE: Active links will not "protect" data from an API client. But > they could block the form from being opened in the Mid-tier client if > that is the only place that this logic should be applied. ( or in both > the User Tool and Mid-Tier if you want as well.) > > HTH > > ARS101 > > > -- > Carey Matthew Black > Remedy Skilled Professional (RSP) > ARS = Action Request System(Remedy) > > Love, then teach > Solution = People + Process + Tools > Fast, Accurate, Cheap.... Pick two. > > > > On 11/10/06, parikshit saxena wrote: > > ** > > > > Hi All > > > > > > We are trying to limit the accesss for a particuler group of user on our > > application vies on mid tier 6.3. > > The issue here is that the URL can be manipulated now by any user logging > > into the application and hence all sensitive data is exposed. > > We are trying to give Hidden permissions on the critical forms for this > > group, so that data can be accessed from those, but the forms are hidden > on > > the web client. > > But this doesn't seem to work here. > > Though the forms are not coming in the object list on ARUser now, but they > > are still visible on mid tier (despite of cache flush). > > > > Would be grateful if someone can provide some insights on this. > > > > Regards > > Parikshit _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are" __________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
