IBM Support

Add security context to the records EmailPlusPostOffice record-type from the ClearQuest EmailPlus package

Troubleshooting


Problem

A normal user can create a query to return the records in the EmailPlusPostOffice record-type allowing anyone to get the content of those emails before being sent. This poses a security risk.

Resolving The Problem

To resolve the issue, the ClearQuest administrator should add security context to EmailPlusPostOffice record type. Because the EmailPlusPostOffice record type is added by the EmailPlus package, the field in it cannot be modified in the ClearQuest Designer unless package editing has been enabled in the schema.


These are the steps to enable package editing and to add security context to EmailPlusPostOffice record type so it limits normal users to get the EmailPlusPostOffice records. Here we presume that the ClearQuest administrator has enabled the EmailPlus package and created the "EmailPlusAdmins" ClearQuest user group, and that the "Project" record type is available to use as a security context record type.


1. Run the packageutil command to enable package editing in the schema, substituting appropriate values for dbset, username, and password.

packageutil enablepackageediting -dbset <dbset> <username> <password> -enable <username>


2. Login the ClearQuest designer, check-out the schema.


3. Find the EmailPlusPostOffice record type, add a new field named "SecurityGroup" in the fields table, choose the "Reference" type and reference to "Project", check the "Security Context" option.


4. Check-in the schema to make security context work, upgrade user database.


5. Open a ClearQuest client, create a new Project record named "PostOfficeGroup" and add the "EmailPlusAdmins" group in the Ratl_Security tab.


6. Login to the ClearQuest designer and check-out the schema again.


7. Open the actions table in EmailPlusPostOffice record type, add a Perl script for the validation hook of "Submit" action if using Perl scripting language:

$entity->SetFieldValue("SecurityGroup","PostOfficeGroup");

Otherwise, add a Basic script:

SetFieldValue "SecurityGroup", "PostOfficeGroup"


8. Check-in the schema and upgrade user database. From now on, only users in the EmailPlusAdmins group can see the EmailPlusPostOffice records.


9. Disable package editing to prevent future unintentional package changes.

packageutil enablepackageediting -dbset <dbset> <username> <password> -disable <username>

[{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Designer - Packages","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1.2;8.0;8.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21695551

Page Feedback