Clarity: A XOG user is able to XOG read the object instance data without the proper access rights granted to the end-user for viewing the data online

Document ID : KB000051361
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

A XOG user should have the combination of the access rights to perform XOG read and XOG write actions plus access rights to the particular object instances for viewing the data. If the XOG user doesn't have the access right to the particular object instance data from the application UI, the XOG user shouldn't be able to XOG read or XOG write data for the object instances.

The combination of access rights for a XOG user and the Project Object works as expected. If the XOG user does not have access to view an instance data for Non-Project Investment Objects (NPIO), the user will still be able to XOG read this data and should not be allowed to see this data.

Specifically for the STR, the XOG user will be able to XOG read instance data for Resources, Ideas and Users when only XOG Access rights are granted without any other access rights.

Steps to Reproduce:

  1. Login as a Clarity Administrator

  2. Admin Tool > Resources > Create a new user 'XOG_USER'

  3. Grant Global Access rights

    1. Administration - Access

    2. Administration - XOG

    3. Idea - XOG Access

    4. Projects - XOG Access

  4. Main Application > Ideas > Create a few Ideas

  5. Main Application > Projects > Create a few Projects

XOG_USER:

  1. Login as the 'XOG_USER'

  2. Admin Tool > Client Downloads

  3. Main Application > Observe : cannot view project or idea instance data

  4. Logout of Clarity

  5. Using the sample XML files perform the XOG read action for both projects and ideas; attempting to read all existing instance data records

    • project_read.xml

    • ideas_read.xml

Expected: The XOG read action should generate no results or message to indicate the user is not authorized to view the data.

Actual: The XOG read action generated instance data output although the XOG_USER is not authorized to see the data.

Solution:

WORKAROUND:

Restrict the end-user from the ability to XOG Ideas or other objects that exhibit this behavior by removing the Object - XOG Access rights.

STATUS/RESOLUTION:

This issue has been documented as CLRT-25002 and is assigned to development for review. If you are experiencing this problem and the workaround above does not significantly help, please contact CA Clarity Technical Support.

Keywords: CLARITYKB, clarity12open, xml open gateway, security.