Topic
  • 3 replies
  • Latest Post - ‏2013-09-04T19:05:10Z by franzw
MichaelCraghead
MichaelCraghead
24 Posts

Pinned topic Shared Secret Not Readable or Writeable - ITIM 5.1

‏2013-08-28T20:32:15Z |

I'm using an ITIM 5.1 instance where I want users to be able to see and modify their own Shared Secret. The ITIM administrator is able to see and modify the Shared Secret for all users, but the users themselves cannot see or modify their own Shared Secret. I have viewed all the ACI that by name would seem to affect the user's ability to see/modify their Shared Secret, but none seem to deny read/write to the attribute. I have also viewed all ACIs in the root OU and I've looked at all the ACIs in the People OU that have a Protection Category of Person and I can't seem to find an ACI that is restricting access. 

I use 'Deny' very sparingly, but even so I've checked for ACIs that have been named with Deny (convention is to describe what's being allowed/denied in the ACI name). Initially I started going through all the ACIs, but there are hundreds, so that seemed pointless and error prone.

Is there any way to identify all ACIs that affect the Shared Secret attribute that have some permission other than 'None' (Grant/Deny)?

Is there something in ITIM that could be restricting a user's ability to see the Shared Secret attribute other than an ACI?

Thank you.

 

Michael K. Craghead

Updated on 2013-08-28T20:34:00Z at 2013-08-28T20:34:00Z by MichaelCraghead
  • franzw
    franzw
    347 Posts

    Re: Shared Secret Not Readable or Writeable - ITIM 5.1

    ‏2013-08-28T20:41:33Z  

    ITIM ACIs work by the principle of implicitly deny - you will have to create an ACI that allows rw on the shared secret attribute for the principal "self".

    Implicit deny ensures that nobody gets access if not permitted explicitly.

    Deny is used tp overwrite the allow - implicit or explicit.

    HTH

    Regards

    Franz Wolfhagen

  • MichaelCraghead
    MichaelCraghead
    24 Posts

    Re: Shared Secret Not Readable or Writeable - ITIM 5.1

    ‏2013-09-04T16:22:07Z  
    • franzw
    • ‏2013-08-28T20:41:33Z

    ITIM ACIs work by the principle of implicitly deny - you will have to create an ACI that allows rw on the shared secret attribute for the principal "self".

    Implicit deny ensures that nobody gets access if not permitted explicitly.

    Deny is used tp overwrite the allow - implicit or explicit.

    HTH

    Regards

    Franz Wolfhagen

    Franz,

    Thanks for the reply. I appologizing for being so tardy replying, but I've been away...

    I have a feeling I wasn't very clear  in my writing, or maybe I focused too much on ACIs. Yes, I am aware that ACIs have an implied Deny. In my case there are ACIs for each of the People types in the Organization. Each ACI has a Grant for the Shared Secret for both read and write. However, when using the self-service interface the user is unable to see or edit his/her shared secret. With an ITIM Administrator role I can see my own Shared Secret and anyone elses, as expected using the Administrator Console. However, when using the self-service interface as the ITIM Administrator I, like all other users, am unable to even see my own Shared Secret. This leads me to believe that it has to do with the interface being used, however I can't find a reference to anything that says do 'this' or do 'that' to allow the Shared Secret to be viewable in the self-service interface.

    Does anyone have an idea of what I might be missing? ACIs aren't interace specific, are they?

    Thank you for the help.

    Michael K. Craghead

  • franzw
    franzw
    347 Posts

    Re: Shared Secret Not Readable or Writeable - ITIM 5.1

    ‏2013-09-04T19:05:10Z  

    Franz,

    Thanks for the reply. I appologizing for being so tardy replying, but I've been away...

    I have a feeling I wasn't very clear  in my writing, or maybe I focused too much on ACIs. Yes, I am aware that ACIs have an implied Deny. In my case there are ACIs for each of the People types in the Organization. Each ACI has a Grant for the Shared Secret for both read and write. However, when using the self-service interface the user is unable to see or edit his/her shared secret. With an ITIM Administrator role I can see my own Shared Secret and anyone elses, as expected using the Administrator Console. However, when using the self-service interface as the ITIM Administrator I, like all other users, am unable to even see my own Shared Secret. This leads me to believe that it has to do with the interface being used, however I can't find a reference to anything that says do 'this' or do 'that' to allow the Shared Secret to be viewable in the self-service interface.

    Does anyone have an idea of what I might be missing? ACIs aren't interace specific, are they?

    Thank you for the help.

    Michael K. Craghead

    This sounds definitely like a PMR.

    I must admit that I have never seen this problem - I personally dislikes C/R as it lowers the security tremendously - and most organization seems not to realize this.... Hence I do not work much with it.

    Regards

    Franz Wolfhagen