IBM Support

PH30371: TASK UI - USERS WITH NO ROLE PERMISSION CAN STILL ACCESS ACTION GRID IN TASK VIEW

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Users without object role permissions for specific objects can
    still access the action grid inside a grid view.
    Although actual records cannot be accessed, being able to reach
    the object grid itself confuses the end users, since the
    navigation menu does not exist for them.
    
    Prerequisites:
    
    OpenPages installed
    
    Set up sample user and role
    1.	Log into OpenPages UI as OpenPagesAdministrator
    2.	Follow these steps to create a new role with ONLY
    read/write/delete/association permissions to the
    SOXBusinessEntity object type and nothing else:
    https://www.ibm.com/support/knowledgecenter/SSFUEU_8.2.0/op_grc_
    admin/t_adm_add_a_role_template.html
    3.	Follow these steps to create a new user associated to the new
    role created in step 2, and assigned to the ?OpenPages Modules
    Master? profile
    https://www.ibm.com/support/knowledgecenter/SSFUEU_8.2.0/op_grc_
    admin/t_adm_create_new_users.html
    
    Create grid view
    1.	In the Task UI, navigate to the Solution Configuration ->
    Views page
    2.	Click Add New to add a new view
    3.	Select Business Entity for object type, enter a name, select
    Task for the type, and click Add
    4.	Click Add Section, provide a Label and click Done
    5.	Drag Name to the section panel
    6.	Drag a Grid into the section panel, provide label name,
    change relationship type to Children, object type to Issue,
    actions to Associate, fill in all other mandatory fields, then
    click Done
    7.	Click Publish
    8.	Back on the Views tab, across from the new view, click the
    ellipsis and select Edit
    9.	Click on the Rules tab, change the Profiles to OpenPages
    Modules Master then click Save
    
    Steps to Reproduce:
    1.	Log into OpenPages UI as OpenPagesAdministrator
    2.	Navigate to Organization -> Business Entities
    3.	Click on any existing entity and confirm the child grid view
    displays as expected
    4.	Log off OpenPagesAdministrator and log back in as the user
    created above
    5.	Navigate to Organization -> Business Entities
    6.	Click on any existing entity and confirm the child grid view
    displays, even though user has no permissions to this object
    type
    
    Expected Results:
    
    Users should not see any restricted object type content that
    they have no permissions to.
    
    Actual Results:
    
    Users can see restricted object type action grids within grid
    views
    
    Error Message:
    
    None
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * OpenPages Users                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * TASK UI - USERS WITH NO ROLE PERMISSION CAN STILL ACCESS     *
    * ACTION GRID IN TASK VIEW                                     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Customers should download OpenPages with Watson 8.2 Fix Pack *
    * 2 (8.2.0.2). See the following document for details on       *
    * obtaining OpenPages 8.2.0.2:                                 *
    * https://www.ibm.com/support/pages/openpages-watson-82-fix-pa *
    * ck-2                                                         *
    ****************************************************************
    

Problem conclusion

  • Field check was only checking against profile, so it would still
    return fields associated with objects that were not in the role
    template.
    
    There was already a check to only add fields if the content type
    is in profile.  We updated the list of contentTypes to only
    include the the ones user has access to (takes role template
    into account).
    
    Customers should download OpenPages with Watson 8.2 Fix Pack 2
    (8.2.0.2). See the following document for details on obtaining
    OpenPages 8.2.0.2:
    https://www.ibm.com/support/pages/openpages-watson-82-fix-pack-2
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH30371

  • Reported component name

    OPENPAGES GRC

  • Reported component ID

    5725D5100

  • Reported release

    820

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-10-08

  • Closed date

    2021-03-31

  • Last modified date

    2021-03-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    OPENPAGES GRC

  • Fixed component ID

    5725D5100

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"820"}]

Document Information

Modified date:
01 April 2021