IBM Support

JR52601: CANNOT RESTRICT ACCESS TO INFORMATION BY USING REST APIS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The current REST APIs allow all authenticated users to receive
    information about all users, groups, and teams. An operation
    mode is needed restricting  access to concerned parties, such as
    IBM Business Process Manager (BPM) administrators, team
    managers, or users who are associated with specific work.
    

Local fix

Problem summary

  • By using REST APIs, you can limit authorization when users
    access user, group, or team information. For instance, a user
    can access any other user's details, including group
    memberships, or access all available groups including the
    memberships they contain.
    

Problem conclusion

  • A fix is/will be available for IBM BPM that enhances
    authorization control for REST APIs by governing access to user,
    group, and team information.
    
    To enable the enhanced authorization control, add the following
    setting to your 100Custom.xml file:
    
    <server>
      <portal merge="mergeChildren">
        <authorization-enabled-for-org-info>true
        </authorization-enabled-for-org-info>
      </portal>
     </server>
    
    The enhanced authorization control enforces the following
    authorization rules when users access user-, group-, or
    team-related REST APIs:
    
    View user information: .../user/<userIdOrName>, is enabled for
    - IBM BPM administrators (members of the bpmAdminGroup) for all
      users
    - All users for viewing data about themselves
    - Users are enabled by the following policies:
    -- ACTION_REFRESH_USER policy
    -- ACTION_MANAGE_ANY_USERATTRIBUTE policy
    
    Refresh user information:
    .../user/<userIdOrName>?refreshUser=true, is enabled for
    - IBM BPM  administrators (members of the bpmAdminGroup)
    - Users authorized by the ACTION_REFRESH_USER policy
    
    Update user attributes:
    .../user/{userNameOrID}?action=setPreference, is enabled for
    - IBM BPM administrators (members of the bpmAdminGroup) for all
      users
    - Users authorized by the ACTION_MANAGE_ANY_USERATTRIBUTE policy
    
    View users information: .../users, is enabled for
    - IBM BPM administrators (members of the bpmAdminGroup)
    
    View potential collaborators for a claimed task:
    .../users?collabTaskidFilter=..., is enabled for
    - IBM BPM administrators (members of the bpmAdminGroup)
    - Users authorized to invite others to collaborate on a task:
      Task owner
    
    View potential reassignees for a received or claimed task:
    .../users?assignTaskidFilter=...,
    is enabled for
    - IBM BPM administrators (members of the bpmAdminGroup)
    - Users authorized to reassign the task to other users, such as
    -- Task owner, if enabled by ACTION_REASSIGN_TASK_USER_ROLE
       policy
    -- Task team managers
    -- Instance owners
    
    View group information: .../group/<groupIdOrName>, is enabled
    for
    - IBM BPM administrators (members of the bpmAdminGroup)
    - Team managers (if the specified group corresponds to a team)
    
    View groups information: .../groups, is enabled for
    - IBM BPM administrators (members of the bpmAdminGroup)
    
    View team information: .../team/<teamIdOrName>, is enabled for
    - IBM BPM administrators (members of the bpmAdminGroup)
    - Team managers
    
    View team information: .../participantGroup/<pgIdOrName>, is
    enabled for
    - IBM BPM administrators (members of the bpmAdminGroup)
    
    
    To download the fix, go to Fix Central
    (http://www.ibm.com/support/fixcentral) and, search for JR52601:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR52601, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR52601

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-02-23

  • Closed date

    2015-04-17

  • Last modified date

    2015-04-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R850 PSY

       UP

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 April 2015