"when the user goes directly to a form by typing in the name directly in the URL for some reason they can go to any record"
If this is true, this points to a bigger problem. Can you describe how you implemented row level access? Axton Grams On 11/30/07, Mahan, Janet L [EQ] <[EMAIL PROTECTED]> wrote: > I have row level access in place and it works from the client except the > users can still see the results list. But when the user goes directly > to a form by typing in the name directly in the URL for some reason they > can go to any record. My concern is the mid-tier because that is the > only method our customer uses to access Remedy. > > > Janet Mahan > Network Systems Administrator II > EMBARQ > > Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 > Email: [EMAIL PROTECTED] > > Voice | Data | Internet | Wireless | Entertainment > > This e-mail is the property of EMBARQ and may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you are not the intended recipient (or authorized to > receive for the recipient), please contact the sender and delete all > copies of the message. > > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Axton > Sent: Friday, November 30, 2007 4:39 PM > To: arslist@ARSLIST.ORG > Subject: Re: mid tier lock down URL > > Seems to me you are trying to address the symptoms and not the source of > the problem. If this is really an issue, fix your apps within Remedy. > Form, row, and field level access give you all you need to address any > data leakage. > > Even if you somehow bandaid the mid-tier, anyone can use the api, a > macro in the user tool, and probably a number of other methods to get at > the data (all exposed via the api). > > If the only attack vector you are trying to address is the web, then I > guess this approach would actually solve something, but how reliable and > secure will it be in the end? How much time do you want to spend > maintaining it? > > Axton Grams > > On 11/28/07, Mahan, Janet L [EQ] <[EMAIL PROTECTED]> wrote: > > ** > > > > I can't crack my customer's across the knuckles! > > > > Seriously, does no one else think that is a security issue for any > > user to be able to overwrite the url and get to hidden forms? > > > > > > Janet Mahan > > Network Systems Administrator II > > EMBARQ > > > > Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 > > Email: [EMAIL PROTECTED] > > > > Voice | Data | Internet | Wireless | Entertainment > > > > This e-mail is the property of EMBARQ and may contain confidential and > > > privileged material for the sole use of the intended recipient(s). Any > > > review, use, distribution or disclosure by others is strictly > > prohibited. If you are not the intended recipient (or authorized to > > receive for the recipient), please contact the sender and delete all > copies of the message. > > > > > > ________________________________ > > From: Action Request System discussion list(ARSList) > > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Cook > > Sent: Wednesday, November 28, 2007 5:45 PM > > To: arslist@ARSLIST.ORG > > Subject: Re: mid tier lock down URL > > > > > > ** > > Why, what could be simpler than a ruler across the knuckles, > > administered as necessary? ;-) Seriously, my preference would be to > > simply report this person for violation of whatever IT policy > > prohibits such actions. That's assuming that (s)he is causing some > problem by doing so. > > > > Rick > > > > On 11/28/07, Mahan, Janet L [EQ] <[EMAIL PROTECTED]> wrote: > > > ** > > > > > > > > > Is there a simple way for someone that doesn't know a lot about > > creating/modifying web pages to keep users from changing the URL in > > the mid-tier and going directly to a form that they have hidden access > to?????? > > > > > > Janet Mahan > > > Network Systems Administrator II > > > EMBARQ > > > > > > Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 > > > Email: [EMAIL PROTECTED] > > > > > > Voice | Data | Internet | Wireless | Entertainment > > > > > > This e-mail is the property of EMBARQ and may contain confidential > > > and > > privileged material for the sole use of the intended recipient(s). Any > > > review, use, distribution or disclosure by others is strictly > > prohibited. If you are not the intended recipient (or authorized to > > receive for the recipient), please contact the sender and delete all > copies of the message. > > > __20060125_______________________This posting was > > submitted with HTML in it___ > > > > __20060125_______________________This posting was submitted with HTML > > in it___ __20060125_______________________This posting was submitted > > with HTML in it___ > > ________________________________________________________________________ > _______ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum > Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
