Security - Tenant customization must be advanced

Description

Found that the tenant customization windows are accessible by non-advanced roles creating a potential security breach.

Environment

None

Activity

Show:
Heng Sin Low
October 16, 2020, 11:20 PM

Shouldn’t this be the case of the tenant customizations is accessible by Tenant Admin Role and some field that’s considered dangerous be marked as advance instead ?

Carlos Ruiz
October 17, 2020, 9:05 AM

Is possible too, I did the analysis yesterday and this is what I think it needs to be marked as advanced on each case:

  • AD_UserDef_Tab

    • AD_Process_ID

    • DisplayLogic

    • IsReadOnly

    • OrderByClause

    • ReadOnlyLogic

    • WhereClause

    • and the new Tab Editor button

  • AD_UserDef_Field

    • AD_Reference_ID

    • AD_Reference_Value_ID

    • AD_Val_Rule_ID

    • DefaultLogic

    • DisplayLogic

    • IsAlwaysUpdateable

    • IsDisplayed

    • IsMandatory

    • IsReadOnly

    • IsUpdateable

    • MandatoryLogic

    • ReadOnlyLogic

  • AD_UserDef_Proc_Parameter

    • AD_Reference_ID

    • AD_Reference_Value_ID

    • AD_Val_Rule_ID

    • DefaultLogic

    • DisplayLogic

    • IsDisplayed

    • IsMandatory

    • MandatoryLogic

    • ReadOnlyLogic

  • AD_UserDef_Info_Column

    • AD_Reference_ID

    • AD_Reference_Value_ID

    • AD_Val_Rule_ID

    • DefaultLogic

    • DisplayLogic

    • InputFieldValidation

    • IsMandatory

    • IsReadOnly

Practically that leads to the customization from tenant admins just for name, description, help.

I thought is not worthy to keep that window for tenant admins just to be able to change a name, but there is also the potential case where a tenant admin inadvertently set up a change-name-customization that has more precedence than the rule intended by the implementor and mess up what was intended by the implementor.

Because of the potential impact I think is better to keep the whole window just for the implementor, not for tenant admins.

Heng Sin Low
October 18, 2020, 3:01 AM

Hi ,

Alright, we can goes with this in core and implementation can change it if they want to.

It did looks weird though that we have to mark all tab as “advanced” to mark a window as “advanced”.

Regards,

Low

Assignee

Carlos Ruiz

Reporter

Carlos Ruiz

Labels

Tested By

None

Priority

Major
Configure