Author Topic: Tagged Values and Security (Read 4214 times)

NilsH · « **on:** April 26, 2010, 11:46:45 pm »

Hello,

I activated Security for a project and created a user with only "Generate Documents" permissions (no lock required for changes).

If the user now accesses a requirement element, he is not able to change any attributes like name, notes etc., because the "Apply" button is not available.

In contrast, the user is able to fully change the tagged values in the Tagged Values view!

I know that as a workaround I can activate "lock required for changes", but this changed the complete editing behaviour in EA. I expected from the security features that the user cannot change any data without permissions and the Tagged Value "hole" seems to be a bug.

Do you agree on the opinion that this is a security bug? I will then forward a bug report to EA.

Cheers,
Nils

[Tested with EA 8 and EA 7.5]

beginner · « **Reply #1 on:** April 26, 2010, 11:54:39 pm »

Definitely a bug. Though I think EA security is just a "sort of" security. Like many other features it has been added during development of EA. It lacks a proof of concept (many other features even lack a concept...). We use security at my customers site. But it always has been thought of as kind of add-on to prevent accidental changes. We just trust in the EA users. Hacking the database is too easy with and without the EA GUI.

b.

Paolo F Cantoni · « **Reply #2 on:** April 27, 2010, 10:08:39 am »

Quote

Definitely a bug. Though I think EA security is just a "sort of" security. Like many other features it has been added during development of EA. It lacks a proof of concept (many other features even lack a concept...). We use security at my customers site. But it always has been thought of as kind of add-on to prevent accidental changes. We just trust in the EA users. Hacking the database is too easy with and without the EA GUI.

b.

As b says, definitely a bug!

It is another manifestation of a number of bugs I've reported, where you need to use a subsidiary mechanism (such as a builder button, or separate window) to amend the property of the the main item. The main item is not seen (by EA) as changed ("dirty").

It's one of the few places EA is consistent - in the nature of it's anti-patterns. I've got to a point what I can look at a new EA UI and predict where the bugs will be... and sure enough...

As b said, for some features, there seems to be no consistent conceptual model that we users can make sense of...

Paolo

Geert Bellekens · « **Reply #3 on:** April 27, 2010, 03:36:23 pm »

As a workaround, you could disable write access to the database.
This ensures "real" security against modifications. (I just hope generating a report doesn't store anything in the database)

Geert

beginner · « **Reply #4 on:** April 28, 2010, 04:11:34 am »

Quote

As a workaround, you could disable write access to the database.
This ensures "real" security against modifications. (I just hope generating a report doesn't store anything in the database)

Geert

...or trash EA security and use that of the database. But heaven knows what wil happen then (think of all the "magic" fields).

The best way is to accepts EA's security as "accidential delete prevention supporter". It's just named Security. Things should be named after what they're supposed to be. Words are patient, though. Users not always.

b.

Sparx Systems Forum

News: