Process Mapping Logo

Process Mapping - Forums

Sharing 19 years of knowledge and experience

 
Metastorm BPM forums
Sign up Latest Topics
 
 
 


Reply
  Author   Comment  
Ptonka

Avatar / Picture

Veteran
Registered:
Posts: 147
Reply with quote  #1 
Hi Freaks,

we use Metastorm in our company. Now we have the following security-problem: Every User has his own roles which legitimate to open the forms with his own datas. The problem ist, if another user change the url, forms will shown with datas from another user. That's not correct. How can I stop this possibility?
Thanks for your help.
Joe

Complement:
If I copy an url of my own - for example Travel-Process - and send it with Mail to a another user - this user can copy and paste this url in his browser and my datas will shown  -  that's not allowed !!!!
I copy the url with right click on open form - then select "properties" and then copy the url from "Adress (URL)".
Please help me to stop this problem (Data-Protection!!!)
Thanks.
0
BMellert

Guru
Registered:
Posts: 688
Reply with quote  #2 
I wonder how your roles are set up or how you validate users into your system.  If users can log in as anybody, then I'm not sure how you'd stop this.  If users have decent passwords, or you use single sign on (as we do in production), it should not be possible to log in as a different user.

Presuming users cannot log in as somebody else, then I suspect your roles or data access logic may not be set up correctly.  More details are needed before we can assist further.
0
bigfootger

Veteran
Registered:
Posts: 139
Reply with quote  #3 
Hi,

I agree with bmellert. If everybody can actually open the form at any time then your roles seem to be setup insufficient for the level of security required.

I recommend to build a small test process and replicate your current role setup to experiment with the different role settings and form access permissions.

I hope that helps a bit.


__________________
Metastorm BPM Remote Expert Help & Web Consultations - http://connect.convedo.com/free-1-hour-web-consultation
0
Jerome

Avatar / Picture

Guru
Registered:
Posts: 5,507
Reply with quote  #4 
The problem is not that of Roles, it is that of merely spoofing a URL. It is a common issue, and one that we cover in our training.

The best way to manage this is to use the 'Limit access to' property of a Process. Set this to a role or multiple roles. This should either be a blanket role for that process, or probably all the roles used within the process.

If you set it to To Do list & Watch List, this should limit access at all times to users on the To and Watch list only.

__________________
Post an example, and we will have a much better idea what the problem is. In about 90% of posts, the problem is one of communication. Examples bridge that gap.
0
jasonstorey

Member
Registered:
Posts: 19
Reply with quote  #5 
One idea (just spitballing off the top of myhead here).
is to have a single role that all users use which is passwordless, then make a JScript function that shows a dialog on form load and asks for a password.
check a database and return/edit any role data you want from the eassignment/erole/eattribute tables through sql.

Granted it's not a major super-secure fix as there are some ways around it but it is a whole lot harder to bypass than copy-paste addresses!

__________________
JasonStorey
0
BRD

Avatar / Picture

Member
Registered:
Posts: 30
Reply with quote  #6 
This is an interesting topic. One where BRD maybe able to help.

In short, the next release of SWiFT (539) gives you the option to cryptographically hide exposer URL and Folder ID's. The option is also there to tie to a MBPM Session ID.

CAPTCHA is also another feature for failed logins. This should help prevent denial of service attacks by failed logins.

Full details on SWiFT 539 will be published on here once it's ready for preview. If you wish to talk more about how we can help, do send me a message. 


__________________
http://www.brdee.com/metastorm

https://twitter.com/BRDltd
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:


Create your own forum with Website Toolbox!