🚨 1 security filter's unexpected twist will leave you intrigued!

Nicolas CHIGROS
Nicolas CHIGROS Active Partner
Fourth Anniversary 250 Up Votes 25 Likes 10 Comments
edited November 2023 in Platform

Hi everyone,

I think it may be useful information for some of you to know that the 3 options under Security Filters actually doesn't have the same behavior!

In fact the "Select Entity based on Cube" feature can be by passed the user itself! And it's by design *! By following the step bellow :

  1. Open a layout editor (where the filtered entity his in rows and in show all for better view of the behavior)

2. Then make local selection on any parent Entities of the entity hold the security (here on Actif a parent entity of Etablissement):

3. the result presented to the end user will include all members under the selected parent and just not the ones with value in the cube (in my snapshots SEC_TEC_Etab_Lecture). This is unlike the other security filters option.

I will post an idea to have an option for the "Select Entity based on Cube" to behave like other Security filters in that regards but I think this intended behavior is unclear from the documentation and from the user interface itself so it may be useful to share with the community to highlight it!

*Validated by Board support team.

Answers

  • Julien CARDON
    Julien CARDON Customer
    Fourth Anniversary 100 Comments 25 Likes Level 100: Foundations of Building in Board
    edited November 2023

    OMG, we have updated all my security model to use "select entity based on cube" 1 week ago. (and we have parent entities too to filter facilities per activity / country etc)

    On our side we have security issue with security "select entity based on cubes" when it is used in conjonction with "run as admin" (compared to classic security model) but that's a minor issue compared to the one you have found.

    @BOARD team : is-it possible to list all use case where security can be bypass by end-users when using "select entityt based on cube".

    thanks for the info

    julien

  • Samir Jones
    Samir Jones Active Partner, Community Captain
    Third Anniversary 100 Up Votes 25 Likes 10 Comments

    Thank you, @Nicolas CHIGROS for sharing this.

    Just like @Julien CARDON, we have the last weeks changed the security setup to be based on the Security filter. We also had training with the customer.

    With this limitation (from my perspective), we will now have to reconsider the whole security setup.

  • Thank you Nicolas! This is extremely important for us to know!

    Security is one of the few things that can absolutely NOT fail. It has to be airtight, and it has to be clear, otherwise very sensitive and even personal information might be presented to unauthorized users. Documentation on this needs to make sure to include this information, and they should remove this "feature" as soon as possible. I see no use-case for when it would be useful to be able to bypass security (in such an easy way).

    It should be impossible to bypass security for non-admins. Full stop.

  • Samir Jones
    Samir Jones Active Partner, Community Captain
    Third Anniversary 100 Up Votes 25 Likes 10 Comments

    @Antonio Speca, thank you for clarifying. :-)

  • Hello @Antonio Speca

    We're very reassured to know that this bug is being taken seriously and will be corrected! However, I believe that the handling of this bug ticket is a necessary example to study for the evolution of Board support.

    We opened the bug ticket on October 10th. Since then, we've had numerous exchanges and 2 calls with support, resulting in the final response that you're aware of.

    We all agree that security matters should be taken very seriously. It was by posting in the community that we finally received a coherent response to this bug, and within less than 12 hours! This should have been the case when the ticket for this security vulnerability was first opened.

    Let me know if we can be of any assistance in this improvement, we would be happy to participate.

  • Nicolas CHIGROS
    Nicolas CHIGROS Active Partner
    Fourth Anniversary 250 Up Votes 25 Likes 10 Comments
    edited November 2023

    Thanks you for your quick answer @Antonio Speca !

    If it wasn't already clear : @Mateo DE LOS RIOS and I work together.

    Let us know if we can be of any help on reviewing what happen with this ticket.

    And sorry for the clickbait title! Just for the fun of it, the 1st ChatGPT suggestion was :

    "Shocking Revelation: Unbelievable Truth About 1 Security Filter's Outrageous Behavior – You Won't Believe What Happened!"

    Have a nice day!

  • @Antonio Speca Thank you for the reassurances, I gave a big sigh when I read that this limitation is treated as a bug.

    @Nicolas CHIGROS I quite enjoyed the title, and the other one is even funnier :)

    I also agree with @Mateo DE LOS RIOS on that it could be very beneficial for the improvement of support to have a retrospective on this case internally, define lessons learned, and drive positive change.

  • Fethi ZERARA
    Fethi ZERARA Active Partner, Community Captain
    Fourth Anniversary 5 Answers 25 Likes 10 Comments

    @Nicolas CHIGROS thank you for these Feedbacks!