"Security by Obscurity" is exactly the term my people used. For example, one of my support staff users, not an admin, located SYS:Status Transition Rules and was able to modify it.
BMC said if I modified these forms in any way I risked breaking something else. I find myself in a bit of a predicament. My people say "fix it" and BMC says "don't change it." -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Tuesday, June 22, 2010 1:10 PM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question Rebecca, This is a security model I have often referred to as 'Security through Obscurity'....which is obviously not security at all....putting a tarp over something sitting in an open field doesn't mean someone can't get to it....just that they can't see it without first pulling the tarp off....same thing with hiding fields on a form...they can always still pull a report on the field and get its contents, the only way they can't get its contents is if they don't have access to it via permissions....your security people MAY have a right to be upset...if the data in question shouldn't be made available to the users. Now....don't confuse access to the form with access to the row/field...you can have access to a form, but if you have row level access setup to restrict access to all records except those they should have access to, then there is no issue.... -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Boyd, Rebecca E. Sent: Tuesday, June 22, 2010 9:47 AM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question When some of my users discovered they could see - & in some cases modify - lots of forms using the API interface, they raised a concern. My security people are not happy. This is what BMC sent me from internal KB 20021753: ================ The User form has Public hidden permission. While using the User tool, a user without Administrator access cannot open the User form. When using the Web tool, the user can open the form. Is this a bug or do we need to build workflow to prevent users from accessing User form on the web? ================ The web behavior is not a bug, is normal. Permission and Visibility are two different things (although we tend to club them together): Permission: Whether a User can access an object or not / pull up data from it or not. Visibility: Whether a User can see the object in the Object List or not. For example if a Form has Public-Hidden permissions details attached to it. This means they can pull up data from it / open it but it won't be visible in the Object List. If you use the Mid-Tier object list, you will find that it too shows the same behavior as the User Tool object list. Q. But is it possible to open up forms in User Tool like Mid-Tier which have public hidden permissions? A. Well actually you can. Here are the steps 1) Open up the Object List in User Tool. 2) Right click any form name and select "Create Shortcut" > "Search Form" 3) Save the task file somewhere. 4) Open the ARTask file in notepad 5) Change the Name = <Form Name> to the form name you want to open example Name = User 6) Save and Double Click to open the form. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Kemes, Lisa Sent: Tuesday, June 22, 2010 11:26 AM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question Looks like the original post did not come through which I was referring to. Amanda Pierce asked (back in Jan of 2010): I have imported the Mid Tier Object List form/workflow, when I log in as a regular user with restricted permissions I can see ALL forms even if I don't have permission to view them i.e AR System forms. Is there any way to restrict the visibility of these forms the same way the client does based on Permission Visible/Hidden? Lisa -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Kemes, Lisa Sent: Tuesday, June 22, 2010 11:24 AM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question Has anyone been able to figure this out? Looks like the only forms that show up on this list is the ones with Public Permissions. We want it to act just like the Object List on the client (where the customer can only see the forms that they have access to). Also, is there an easier way for the midtier customer to get to the object list other than an entry link or adding a button on every single form that takes them to the MidTier Object List Form? We enabled the "Enable Object List" setting on the Midtier configuration, but it appears that enabling on the MidTier server is sort of an error trap. The MidTier will bring up the Object List if a bad URL is entered. I can't get this to work even if I try to use a "bad URL" (whatever that is!) I really hope this is one thing that gets taken care of in MT 8.0! Thanks! Lisa Midtier 7.5 p4 ARS 7.1 p7 Oracle 10g -- View this message in context: http://ars-action-request-system.1093659.n2.nabble.com/7-5-Mid-Tier-Obje ct-List-Question-tp4469645p5209293.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" ________________________________________________________________________ ____ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
