I have row level access in place and it works from the client except the users can still see the results list. But when the user goes directly to a form by typing in the name directly in the URL for some reason they can go to any record. My concern is the mid-tier because that is the only method our customer uses to access Remedy.
Janet Mahan Network Systems Administrator II EMBARQ Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 Email: [EMAIL PROTECTED] Voice | Data | Internet | Wireless | Entertainment This e-mail is the property of EMBARQ and may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender and delete all copies of the message. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Axton Sent: Friday, November 30, 2007 4:39 PM To: [email protected] Subject: Re: mid tier lock down URL Seems to me you are trying to address the symptoms and not the source of the problem. If this is really an issue, fix your apps within Remedy. Form, row, and field level access give you all you need to address any data leakage. Even if you somehow bandaid the mid-tier, anyone can use the api, a macro in the user tool, and probably a number of other methods to get at the data (all exposed via the api). If the only attack vector you are trying to address is the web, then I guess this approach would actually solve something, but how reliable and secure will it be in the end? How much time do you want to spend maintaining it? Axton Grams On 11/28/07, Mahan, Janet L [EQ] <[EMAIL PROTECTED]> wrote: > ** > > I can't crack my customer's across the knuckles! > > Seriously, does no one else think that is a security issue for any > user to be able to overwrite the url and get to hidden forms? > > > Janet Mahan > Network Systems Administrator II > EMBARQ > > Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 > Email: [EMAIL PROTECTED] > > Voice | Data | Internet | Wireless | Entertainment > > This e-mail is the property of EMBARQ and may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you are not the intended recipient (or authorized to > receive for the recipient), please contact the sender and delete all copies of the message. > > > ________________________________ > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Cook > Sent: Wednesday, November 28, 2007 5:45 PM > To: [email protected] > Subject: Re: mid tier lock down URL > > > ** > Why, what could be simpler than a ruler across the knuckles, > administered as necessary? ;-) Seriously, my preference would be to > simply report this person for violation of whatever IT policy > prohibits such actions. That's assuming that (s)he is causing some problem by doing so. > > Rick > > On 11/28/07, Mahan, Janet L [EQ] <[EMAIL PROTECTED]> wrote: > > ** > > > > > > Is there a simple way for someone that doesn't know a lot about > creating/modifying web pages to keep users from changing the URL in > the mid-tier and going directly to a form that they have hidden access to?????? > > > > Janet Mahan > > Network Systems Administrator II > > EMBARQ > > > > Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 > > Email: [EMAIL PROTECTED] > > > > Voice | Data | Internet | Wireless | Entertainment > > > > This e-mail is the property of EMBARQ and may contain confidential > > and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you are not the intended recipient (or authorized to > receive for the recipient), please contact the sender and delete all copies of the message. > > __20060125_______________________This posting was > submitted with HTML in it___ > > __20060125_______________________This posting was submitted with HTML > in it___ __20060125_______________________This posting was submitted > with HTML in it___ ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
