Missing function level access
Missing function level access issue is present in our one of pega 6.1 sp2 applications.
Message was edited by: Lochan to add Category
Yes Shan, We have an application in Pega 6.1 Sp2 version..!!
Issue: Whenever users who don't have access to Developer page are also able to access the page by using vulnerable URL( after loging in and then in new tab if we paste the Vulnerable URL). so if we check in pyRulesHome, there is just try catch method is mentioned. but we tried to add a when condition to have access only to the people who have access role from opendeveloperform. But we have our own customized access role which is used by multiple applications. so if we give privilege as opendeveloperform to our customized access role..it will get affected in all the applications even though it's not harmfull..!! so I need a solution for this..!!
We have customized developer Access role which is used by many applications. but the issue we are fixing should be only to one application. and fix is that, whoever might be trying to logging in with vulnerable URL must have opendeveloper form privilege in their access role, if this comes to true it will allow otherwise it should display an error message. we don't know that the customized access role is used by how many applications. this fix shouldn't disturb other applications..!!
We might need a bit more information to give a clear answer.
You should have different access groups for your users with developer access and those without even if they reference the same application. You can then provide an administrator role which has the opendeveloperform privilege to your developer access group, but not to other users of the same application.
It sounds like you might be trying to avoid this solution. I think it's possible to accomplish this by creating an "Access Deny" rule to deny the ability to open rules based upon a When rule which you can use to define whether some one is a developer - however I do not recommend this as to avoid unnecessary complexity in your application security.
Ok let me explain the exact issue..!! There are different access groups for different users. if we want to be a developer then there is a customized access role which is given to that access group. so now that access role is also used by many applications. now we are implementing security to one application so we are giving open developer from privilege to our customized access role which is used by many applications. now my question is will it affect other applications in any way if we do this. because the developer access role is always should be given to developers only. so the vulnerable URL is not going to be accessible to other users who doesn't have our customized developer access.
I need to know if our change is going to affect other applications in any way..!!
Still i am not very clear on the issue. What do you mean by vulnerable URL? Are you talking in terms of XSS issue?
Coming to access and privilege: if you give access group some customized role, anyone whether developer or a user, will have those access only. I dont think he has ability to mesh up with the other application where he dont have the access.
Could you elaborate more in detail?
Let us assume access role1 is the one which is given to developers. so now let us assume access group1 has access role1. developer has access group1. now this access role1 is also used by other application in same environments. our QA and dev is shared by different applications. for our fix we are giving open developer form privilege to access role1 so that we can write a condition in pyruleshome that only users who have access role1 as their role will be able to access the page. so will this get affected to any other applications.
I am still not sure I understand the scenario. Please let me know if this is right:
1) You have accessrole1 which permits developer access by granting the OpenDeveloperForm privilege
2) This accessrole1 is used in multiple applications
3) You want to write a condition in pyRulesHome so that only users that have the OpenDeveloperForm privilege can open the developer portal (e.g., want to make sure users can't just use the URL for the developer portal to get access to it).
4) Question: do you want to somehow limit which applications the users can access even if they have OpenDeveloperForm? Or always just check for OpenDeveloperForm?
Do you already know how to do this and you're asking whether it's the right thing to do? Or are you asking how to configure the condition to do what you want? It may help if you could share a screenshot of the condition you're trying to build.
Thanks
Hi, thanks for the reply... yes you understood some part of the issue. so here we are restricting when hackers or any end users are trying to access the pyRulesHome page by using a vulnerable URL. so for this we have a fix by adding a when condition which is same in pega 7.1 version pyRulesHome. this pyRulesHome and opendeveloperform are Out of box functionalities. so here is the condition we are adding.
<pega:choose>
<pega:when java='<%= pega_rules_default.HavePrivilege(tools, "OpenDeveloperForm", "@baseclass", null) %>'>
now this condition is going to check for open developerform privilege. but here we have our customized access role for developers which is used by many applications in dev and QA. so is it going to do any harmful impact to other applications.?? our intention is to fix only one application.
Note: in prod only one access role is mapped to opendeveloperform privilege.
Could you use the ruleset in which you save your version of pyRulesHome as a way to limit which applications are impacted? In other words, if you add the condition in a ruleset that is only visible to the application you want to fix, then it shouldn't have any impact on other applications.
