Fixes are available
APAR status
Closed as program error.
Error description
There is no way to manage authorization for read or write access to user attribute values. PROBLEM DETAILED DESCRIPTION: The User Attribute feature in IBM BPM has no authorization concept. As a consequence, each user can read and update his or her own and other user's user attribute values by using REST APIs. However, there are security-sensitive use cases for user attribute values such as email notifications or task assignments that use expressions. You might also choose to store confidential information about users in user-attribute values. The lack of authorization for this feature can create a security exposure.
Local fix
n/a
Problem summary
There is no way to manage authorization for read or write access to user attribute values. PROBLEM DETAILED DESCRIPTION: The User Attribute feature in IBM BPM has no authorization concept. As a consequence, each user can read and update his or her own and other user's user attribute values by using REST APIs. However, there are security-sensitive use cases for user attribute values such as email notifications or task assignments that use expressions. You might also choose to store confidential information about users in user-attribute values. The lack of authorization for this feature can create a security exposure.
Problem conclusion
A fix is available that ensures that the user attribute feature is secure by default and adds authorization for accessing user attributes by using REST APIs. With the fix applied, a configurable whitelist of user attributes is introduced to control which user attributes are readable for all users. The configuration property name for this whitelist is public-attribute. The default whitelist is introduced in 00Static.xml and can be extended or overwritten in 100Custom.xml: <server> ... <user-attributes> ... <rest-authorization> <public-attribute>Title</public-attribute> <public-attribute>Task Email Address</public-attribute> <public-attribute>Image</public-attribute> <public-attribute>Primary Role</public-attribute> <public-attribute>Phone Number</public-attribute> ... For information about how to change configuration properties in 100Custom.xml, see the appropriate documentation: - V7.5.x "Changing IBM© Process Server properties in 100Custom.xml" (http://pic.dhe.ibm.com/infocenter/dmndhelp/v7r5m1/topic/ com.ibm.wbpm.admin.doc/topics/changing_server_props.html ) - V8.0.x "Changing IBM© Process Server properties in 100Custom.xml" (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r0m1/topic/ com.ibm.wbpm.admin.doc/topics/changing_server_props.html ) - V8.5.x "Changing IBM© Process Server properties in 100Custom.xml" (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r5m0/topic/ com.ibm.wbpm.admin.doc/topics/changing_server_props.html ) With the fix applied, another configurable whitelist of user attributes is introduced to control which user attributes can be updated by each user for his or her own user profile. The configuration property name for this whitelist is self-manageable-attribute. Because there are cases in IBM Process Portal when users would set their own email address, phone number, job title and other settings by using REST APIs, all attributes that are shipped with the product are listed as self-manageable. The exact set of default self-manageable attributes depends on your product version. The following sample lists all self-manageable attributes in IBM BPM V8.5. <server> ... <user-attributes> ... <rest-authorization> ... <self-manageable-attribute>Title </self-manageable-attribute> <self-manageable-attribute>Portal Notification Post Mention</self-manageable-attribute> <self-manageable-attribute>Task Notification</self-manageable-attribute> <self-manageable-attribute>Task Email Address</self-manageable-attribute> <self-manageable-attribute>Calendar Type</self-manageable-attribute> <self-manageable-attribute>Show Unfollow Messages</self-manageable-attribute> <self-manageable-attribute>Send Connections Notification On New Task</self-manageable-attribute> <self-manageable-attribute>Image </self-manageable-attribute> <self-manageable-attribute>Primary Role</self-manageable-attribute> <self-manageable-attribute>Portal Notification New Task To My Group</self-manageable-attribute> <self-manageable-attribute>Base Text Direction</self-manageable-attribute> <self-manageable-attribute>Portal Mention Timestamp</self-manageable-attribute> <self-manageable-attribute>Phone Number</self-manageable-attribute> <self-manageable-attribute>Portal Default Page</self-manageable-attribute> <self-manageable-attribute>Locale </self-manageable-attribute> <self-manageable-attribute>Alert On Assign And Run</self-manageable-attribute> <self-manageable-attribute>Portal Dashboard Display Order</self-manageable-attribute> <self-manageable-attribute>Portal Notification New Task To Me</self-manageable-attribute> </rest-authorization> </user-attributes> .. If your process applications contain custom user attribute definitions, explicitly list these custom user attributes in the previous whitelists in case you want these attributes to be either public or self-manageable. For example, the following stanza in 100Custom.xml adds CustomAttribute to the list of self-manageable attributes. <server> <user-attributes merge="mergeChildren"> <rest-authorization merge="mergeChildren"> <self-manageable-attribute merge="append"> CustomAttribute</self-manageable-attribute> </rest-authorization> </user-attributes> </server> Also, an action policy has been added that gives administrators the ability to grant full read and write access to all user attributes of all users. The name of the action policy is ACTION_MANAGE_ANY_USERATTRIBUTE. For information about how to configure action policies, see the appropriate documentation: - V7.5.x: "Restricting access to Process Portal functions" (http://pic.dhe.ibm.com/infocenter/dmndhelp/v7r5m1/topic/ com.ibm.wbpm.admin.doc/topics/ restricting_access_to_portal_functions.html ) - V8.0.x: "Restricting access to actions on BPDs and tasks" (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r0m1/topic/ com.ibm.wbpm.admin.doc/topics/ restricting_access_to_portal_functions.html) - V8.5.x: "Configuration properties for Process Portal action policies" (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r5m0/ index.jsp?topic=%2Fcom.ibm.wbpm.admin.doc%2Ftopics%2 Frestricting_access_to_portal_functions.html). The default assignment is tw_admins to ensure that members of the default administrator group can manage user attributes by using a REST API. Starting with IBM BPMV8.5, it is possible to specify a different group name for IBM BPM administrators. If you configured a different group to be the bpmAdminGroup, you might want to change this default assignment to the group name configured as bpmAdminGroup. For information about setting a bpmAdminGroup, see "Security configuration properties" (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r5m0/topic/com.ibm .wbpm.admin.doc/topics/csec_config_properties.html). To revert to the previous open behavior, you can either remove all role assignments from action policy ACTION_MANAGE_ANY_USERATTRIBUTE or remove the two whitelist configuration properties by overwriting server/user-attributes/rest-authorization with no value in 100Custom.xml. FIX AVAILABILITY: iFix for 7.5.1.2 is/will be available on Fix Central; search for APAR JR49505 at http://www.ibm.com/support/fixcentral/ iFix for 8.0.1.0 is/will be available on Fix Central; search for APAR JR49505 at http://www.ibm.com/support/fixcentral/ iFix for 8.0.1.2 is/will be available on Fix Central; search for APAR JR49505 at http://www.ibm.com/support/fixcentral/ iFix for 8.5.0.1 is/will be available on Fix Central; search for APAR JR49505 at http://www.ibm.com/support/fixcentral/ Fix is also targetted for inclusion in next fixpack for BPM V7.5.1, BPM V8.0.1 When obtaining any of the above fixes, be sure to download the accompanying readme, for itself, and any prerequisite fixes, and review them thoroughly.
Temporary fix
Comments
APAR Information
APAR number
JR49505
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
751
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-03-04
Closed date
2014-05-08
Last modified date
2014-05-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R751 PSY
UP
R801 PSY
UP
R850 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
12 October 2021