IBM Support

JR55154: NON-PRIVILEGED USERS CAN SEARCH FOR AND DISCOVER ALL USERS AND GROUPS IN IBM BUSINESS SPACE

Direct links to fixes

bpm.8570.cf2016.06.delta.repository.1of2
bpm.8570.cf2016.06.delta.repository.2of2

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • When you use IBM Business Space, and locked down mode is
enabled, you can search for and discover all users and groups
defined in the user registry, even if you do not have the
required privileges.

PRODUCTS AFFECTED
IBM Business Process Manager (BPM) Advanced
IBM BPM Standard
IBM BPM Express
IBM Business Monitor

Local fix

  • 



Problem summary


    

  • When Business Space's locked down mode is enabled, a REST
service in Business Space that retrieves user and group
information does not check user privileges before returning the
information.

    



Problem conclusion


    

  • A fix is available for IBM BPM V7.5.1.2, V8.0.1.3, V8.5.0.2,
V8.5.5.0, V8.5.6.0 cumulative fix 2, and IBM BPM V8.5.7.0
CF2016.06 that adds a new set of configuration properties to
enable checking of user privileges in the REST service,
preventing you from searching all users and groups when Business
Space's locked down mode is enabled.

For IBM BPM V7.5.1.2, V8.0.1.3, V8.5.0.2, and V8.5.5.0, search
for JR54678 on Fix Central
(http://www.ibm.com/support/fixcentral). Interim fix JR54678
includes the fix for interim fix JR55154.

1. Select IBM Business Process Manager with your edition from
the product selector, the installed version to the fix pack
level, and your platform, and then click Continue.
2. Select APAR or SPR, enter JR54678, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

For IBM BPM V8.5.6.0, this fix is built on IBM BPM 8.5.6.0
cumulative fix 2. If you do not already have IBM BPM V8.5.6
cumulative fix 2 installed, download and install IBM BPM V8.5.6
cumulative fix 2 from
http://www.ibm.com/support/docview.wss?uid=swg24041303.

For IBM BPM V8.5.7.0, this fix is built on IBM BPM 8.5.7.0
cumulative fix 2016.06. If you do not already have IBM BPM
V8.5.7.0 cumulative fix 2016.06 installed, download and install
IBM BPM V8.5.7.0 cumulative fix 2016.06 from
http://www.ibm.com/support/docview.wss?uid=swg24042266.

    



Temporary fix


    

  • Not applicable

    



Comments


    

  • 



APAR Information




    

  • APAR number
    JR55154
    • 

  • Reported component name
    BPM EXPRESS
    • 

  • Reported component ID
    5725C9600
    • 

  • Reported release
    856
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-02-02
    • 

  • Closed date
    2016-09-20
    • 

  • Last modified date
    2016-09-20
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM EXPRESS
    • 

  • Fixed component ID
    5725C9600
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"856","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 August 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback