What are the security implications after setting roles to "All Tenants"?

Document ID : KB000102845
Last Modified Date : 20/06/2018
Show Technical Document Details
Introduction:
There is a scenario where end users get an error message when submitting public surveys:

> AHD05237:An internal error with surveys occurred.

It happens because the access type being used by the contact is set to a role that does not have access to "All Tenants".

In order to resolve this issue, the administrator has followed a knowledge document (KB000043703) which suggests to set tenant access and tenant write access to: "All Tenants".

User-added image

This role is used as the "Command Line Utility Role" field in the access type.

User-added image
Question:
Based on the knowledge document (KB000043703) mentioned, is there any possibility on having users accessing data from other tenant users?
Environment:
Service Desk 17.1
Service Desk 17.0
Service Desk 14.1
Answer:
There is no possibility on having users accessing data from other tenant users if users do not have web role access to "All Tenants". Even though there is a role being set to "All Tenants", that role will be used only for the "Command Line Utility Role" in the access type. It does not mean the role have web access to Service Desk. It allows running commands in the operational system i.e. pdm_text_cmd for tickets creation, but it does not mean an user will be able to access the operational system and execute commands.

There is no way on having users passing commands through the URL because "SOAP Web Service" and "REST Web Service" API are not enabled for "All Tenants". Any additional and specific restrictions can be made through "Data Partitions" if necessary.
Additional Information:
Error: "AHD05237:An internal error with surveys occurred." In Browser When Submitting A Survey
https://comm.support.ca.com/kb/error-ahd05237an-internal-error-with-surveys-occurred-in-browser-when-submitting-a-survey/kb000043703