🚨 1 security filter's unexpected twist will leave you intrigued!

Nicolas CHIGROS · 2023-11-14T15:41:01+00:00

There was an error rendering this rich post.

Hi everyone,

I think it may be useful information for some of you to know that the 3 options under Security Filters actually doesn't have the same behavior!

In fact the "Select Entity based on Cube" feature can be by passed the user itself! And it's by design *! By following the step bellow :

Open a layout editor (where the filtered entity his in rows and in show all for better view of the behavior)

2. Then make local selection on any parent Entities of the entity hold the security (here on Actif a parent entity of Etablissement):

3. the result presented to the end user will include all members under the selected parent and just not the ones with value in the cube (in my snapshots SEC_TEC_Etab_Lecture). This is unlike the other security filters option.

I will post an idea to have an option for the "Select Entity based on Cube" to behave like other Security filters in that regards but I think this intended behavior is unclear from the documentation and from the user interface itself so it may be useful to share with the community to highlight it!

*Validated by Board support team.

Find more posts tagged with

Administration

Security

Accepted answers

All comments

Julien CARDON

OMG, we have updated all my security model to use "select entity based on cube" 1 week ago. (and we have parent entities too to filter facilities per activity / country etc)

On our side we have security issue with security "select entity based on cubes" when it is used in conjonction with "run as admin" (compared to classic security model) but that's a minor issue compared to the one you have found.

@BOARD team : is-it possible to list all use case where security can be bypass by end-users when using "select entityt based on cube".

thanks for the info

julien

Samir Jones

Thank you, @Nicolas CHIGROS for sharing this.

Just like @Julien CARDON, we have the last weeks changed the security setup to be based on the Security filter. We also had training with the customer.

With this limitation (from my perspective), we will now have to reconsider the whole security setup.

Krisztina Zappert

Thank you Nicolas! This is extremely important for us to know!

Security is one of the few things that can absolutely NOT fail. It has to be airtight, and it has to be clear, otherwise very sensitive and even personal information might be presented to unauthorized users. Documentation on this needs to make sure to include this information, and they should remove this "feature" as soon as possible. I see no use-case for when it would be useful to be able to bypass security (in such an easy way).

It should be impossible to bypass security for non-admins. Full stop.

Antonio Speca

Hello,

We reviewed tha case with Board support and there is a bit of misunderstanding.

This behavior is a bug and it wlll be solved

Based-on and normal security should behave the same,

We apologize for the misunderstanding (generated by a bad communication between our dev team and R&D), we will provide a patch as soon as possible.

Antonio Speca

Head of Development

Samir Jones

@Antonio Speca, thank you for clarifying. :-)

Mateo DE LOS RIOS

Hello @Antonio Speca

We're very reassured to know that this bug is being taken seriously and will be corrected! However, I believe that the handling of this bug ticket is a necessary example to study for the evolution of Board support.

We opened the bug ticket on October 10th. Since then, we've had numerous exchanges and 2 calls with support, resulting in the final response that you're aware of.

We all agree that security matters should be taken very seriously. It was by posting in the community that we finally received a coherent response to this bug, and within less than 12 hours! This should have been the case when the ticket for this security vulnerability was first opened.

Let me know if we can be of any assistance in this improvement, we would be happy to participate.

Nicolas CHIGROS

Thanks you for your quick answer @Antonio Speca !

If it wasn't already clear : @Mateo DE LOS RIOS and I work together.

Let us know if we can be of any help on reviewing what happen with this ticket.

And sorry for the clickbait title! Just for the fun of it, the 1st ChatGPT suggestion was :

"Shocking Revelation: Unbelievable Truth About 1 Security Filter's Outrageous Behavior – You Won't Believe What Happened!"

Have a nice day!

Krisztina Zappert

@Antonio Speca Thank you for the reassurances, I gave a big sigh when I read that this limitation is treated as a bug.

@Nicolas CHIGROS I quite enjoyed the title, and the other one is even funnier :)

I also agree with @Mateo DE LOS RIOS on that it could be very beneficial for the improvement of support to have a retrospective on this case internally, define lessons learned, and drive positive change.

Fethi ZERARA

@Nicolas CHIGROS thank you for these Feedbacks!