IBM Support

PH29327: : TASK UI - USERS WITH NO ROLE PERMISSION CAN STILL ACCESS GRIDVIEW VIA DASHBOARD

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Users without object role permissions for specific objects can
    still access the grid view via the dashboard.
    Although actual records cannot be accessed, being able to reach
    the grid view itself looks wrong, especially since the
    navigation menu does not exist.
    
    Prerequisites:
    
    OpenPages installed
    
    Set up sample user and role
    1.	Log into OpenPages UI as OpenPagesAdministrator
    2.	Follow these steps to create a new role with ONLY
    read/write/delete/association permissions to the
    SOXBusinessEntity object type and nothing else:
    https://www.ibm.com/support/knowledgecenter/SSFUEU_8.2.0/op_grc_
    admin/t_adm_add_a_role_template.html
    3.	Follow these steps to create a new user associated to the new
    role created in step 2, and assigned to the ?OpenPages Modules
    Master? profile
    https://www.ibm.com/support/knowledgecenter/SSFUEU_8.2.0/op_grc_
    admin/t_adm_create_new_users.html
    
    Create dashboard
    1.	In the Task UI, navigate to the Solution Configuration ->
    Dashboards page
    2.	Click Add New to add a new dashboard
    3.	Enter a name, tick Active to true, select ?OpenPages Modules
    Master? for the profile, and click Add
    4.	Click the new dashboard to enter the design page
    5.	Click on the Configure icon, then click Add Panel
    6.	Change Panel Type to Reports, provide a Name and Label,
    change Data Source to All Reports, then click Done.
    7.	Click Add Panel to add another panel, Panel Type as custom,
    provide a name and label, then click Add Widget
    8.	Leave Type as Add New and change Object Type to Issue, then
    click Done
    9.	Click Add Widget again, change Type to Chart, provide a
    label, set Object Type to Issue, Filter to ?My Open Issues?,
    Chart Type to Doughnut, Chart Data Field to Issue Type, Method
    Type to Count, then click Done.
    10.	Click Done, then Publish
    
    Steps to Reproduce:
    1.	Log into OpenPages UI as the user created above
    2.	Confirm that the dashboard shows the Issue related widget,
    even though user has no Issue permissions
    3.	Click on the 0 in the chart. This will navigate to the Issue
    grid view, even though user has no Issue permissions. Although
    user still sees no Issue records, being able to reach this page
    is not right.
    
    
    Expected Results:
    
    Users should not see any restricted object type content or reach
    pages where they have no permissions to.
    
    Actual Results:
    
    Users can still navigate to role restricted pages
    
    Error Message:
    
    None
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * OpenPages Users                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    *  TASK UI - USERS WITH NO ROLE PERMISSION CAN STILL ACCESS    *
    * GRID VIEW VIA DASHBOARD                                      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Customers should download OpenPages with Watson 8.2 Fix Pack *
    * 1 (8.2.0.1). See the following document for details on       *
    * obtaining OpenPages 8.2.0.1:                                 *
    * https://www.ibm.com/support/pages/openpages-watson-82-fix-pa *
    * ck-1                                                         *
    ****************************************************************
    

Problem conclusion

  • We fixed this and also added a remove function for the case
    where there are no widgets left in the panel or when search is
    unavailable.
    
    Customers should download OpenPages with Watson 8.2 Fix Pack 1
    (8.2.0.1). See the following document for details on obtaining
    OpenPages 8.2.0.1:
    https://www.ibm.com/support/pages/openpages-watson-82-fix-pack-1
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH29327

  • Reported component name

    OPENPAGES GRC

  • Reported component ID

    5725D5100

  • Reported release

    820

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-09-09

  • Closed date

    2020-11-25

  • Last modified date

    2020-11-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    OPENPAGES GRC

  • Fixed component ID

    5725D5100

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"820"}]

Document Information

Modified date:
26 November 2020