IBM Support

PH22346: TASK UI ASSOCIATE PARENT DOES NOT HONOR ASSOCIATE SECURITY RESTRICTIONS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • If a creation or task view for an object in the Task UI contains
    a way to associate to a parent, the user will see all parent
    objects the user has read access to in the popup selector
    window, regardless of whether they have permissions to associate
    to them.
    The user will not be able to save the record with the incorrect
    association, though.  An error will display:
    OP-03002
    You do not have permission to access the object "Parent".
    
    
    To reproduce:
    Prerequisites:
    OpenPages 8.1.0.1 with Solutions and default data set
    
    Create a role template for read-only access:
    1.	Log in to OpenPages as OpenPagesAdministrator
    2.	Switch to standard UI
    3.	Go to Administration->Role Template
    4.	Click Add
    5.	Give the name Read Only ? Everything, and Role Type of
    Business Entity
    6.	Click Next
    7.	Check the box in the header row to include all object types
    with read permission
    8.	Click Next
    9.	Scroll to the bottom, and check the box for User Interfaces
    to ensure Task UI access
    10.	Click Finish
    
    
    Create a user with limited security domain permissions
    1.	Log in to OpenPages as OpenPagesAdministrator
    2.	Switch to standard UI
    3.	Go to Administration->Users
    4.	Click Create
    5.	Add a user who is in the OpenPages ORM Master profile, and
    has the following group/role permissions:
    
    
    Steps to Reproduce:
    1.	Login to OpenPages as the user created above
    2.	In the Task UI main menu, select Assessments->Risk
    Assessments
    3.	Click the Add New button
    4.	Go to the Primary Business Entity section
    5.	Click Select button
    6.	Notice that all Business entities in the system are available
    to select, when only 8 should be authorized by the role given to
    the user
    
    7.	Choose a parent that the user should not be able to use, like
    Abrucca Limited, and click Done
    8.	Fill in any other required fields, then click Save
    9.	The OP-03002 error will appear:
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * OpenPages Users                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * TASK UI ASSOCIATE PARENT DOES NOT HONOR ASSOCIATE SECURITY   *
    * RESTRICTIONS                                                 *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Customers should download OpenPages 8.2 from Passport        *
    * Advantage. See the following document for details on         *
    * obtaining OpenPages 8.2:                                     *
    * https://www.ibm.com/support/pages/downloading-ibm-openpages- *
    * watson-version-82-passport-advantage                         *
    ****************************************************************
    

Problem conclusion

  • When searching for resources, you can specify what rights the
    user needs to have on the returned resources.
    ResourceListService already supports using the acl attribute
    from ResourceListQuery, but the client never sets the acl
    attribute, so it is set to READ.
    
    The solution is just to pass along the acl parameter when Object
    Picker is being used for an Associate action.
    
    Customers should download OpenPages 8.2 from Passport Advantage.
    See the following document for details on obtaining OpenPages
    8.2:
    https://www.ibm.com/support/pages/downloading-ibm-openpages-wats
    on-version-82-passport-advantage
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH22346

  • Reported component name

    OPENPAGES GRC

  • Reported component ID

    5725D5100

  • Reported release

    810

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-02-18

  • Closed date

    2020-06-19

  • Last modified date

    2020-06-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    OPENPAGES GRC

  • Fixed component ID

    5725D5100

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"810","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
20 June 2020