IBM Support

PI80533: 'TYPE' ACCESS CONTROL ISSUE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Using the UCD Role Configuration
page, you can set permissions per Type. But in some cases, the
permission is not limited per Type but rather is set at the user
level.

Steps to reproduce:
1) Using admin user, create a Role Developers and click 'Role
Configuration' tab.
2) Click on 'Component', and click 'Create Type' button and
create a new Type PROD Component
3) Create another new Type DEV Component
4) For 'DEV component' type, give the following permissions:
    View Components, Create > Create Components, Edit > Edit
Basic Settings, Edit > Manage Properties, Edit > Manage Teams.
    Make sure there are no permissions for 'Standard Component'
type
and 'PROD Component' type
5) Click 'Web UI' and give only 'Components Tab' permission
6) Create a user developer
7) Create a team Team A and assign developer to the 'Developers'
role
8) Launch another browser and log in UI with developer user.
9) Click 'Create Component'. In the 'Create Component' pop-up
dialog, Select 'Team A' and Type 'PROD Component'.
10) Click 'Add' button, and then click 'Save' button.
11) Click the component you just created, and click
'Configuration' tab.

Notice that 'Team A PROD Component)' is added and visible.

Issue#1:
    Under 'Type' list box, 'PROD Component' is not supposed to
be visible as developer user neither have 'View' permission on
the 'PROD Component' Type, nor have 'Edit' permission; however,
the user (developer) is able to view & save it.

12) Attempt to remove (click 'X') 'Team A(as PROD Component)'
and notice that you are able to remove it.
Issue#2:
    The developer should not be able to remove 'PROD Component'
which could be created by someone who has appropriate
permission on 'PROD Component' Type.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* Access control issues around UrbanCode deploy Types          *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* Access control issues around UrbanCode deploy Types          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

    



Problem conclusion


    

  • Issues are fixed, and Types respect permissions.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI80533
    • 

  • Reported component name
    UC DEPLOY
    • 

  • Reported component ID
    5725M5400
    • 

  • Reported release
    623
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-04-25
    • 

  • Closed date
    2018-09-24
    • 

  • Last modified date
    2018-09-24
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    UC DEPLOY
    • 

  • Fixed component ID
    5725M5400
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS4GSP","label":"IBM UrbanCode Deploy"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"623","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            24 September 2018
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback