Hijacking somebody else's EA user identifier

[andykennelly]

I have security enabled my project, created EA users with the same user idfr as their windows user idfr and turned on 'Accept Windows authentication'. This means, of course, that users can open the project and are "known" to that project by their EA user idfr without having to enter that EA user idfr (i.e. silent login).

So far, so good.

Now I've noticed that any user can then select 'Security/Log in as another user', enter the EA user idfr of somebody else and they are then logged in to the project as that other person. I can't see anything in user permissions that could preclude a user from being able to log in as someone else in this way. One way around this is for EA users to be set up with a password ... but that seems to undermine the benefit of the silent login approach.      

I'm not really expecting anyone to actually do this, but I am being asked the question whether this is a potential loophole.

Any views or ideas?

[Helmut Ortmann]

Hi,

you have to import (Import Button) the user from Windows. Just clicking 'use windows login' isn't enough. Also make sure the the user is only once defined. You have to delete the user before importing from Windows.


Best regards,

Helmut

[Aaron B]

If you import the user accounts from Active Directory (as Helmut mentioned), then a random password is assigned by default to prevent manual/forced login with this account.
http://www.sparxsystems.com/enterprise_architect_user_guide/10/projects_and_teams/import_user_ids_from_active_di.html

If you want to be able to manually login with an account imported this way, then you need to explicitly set a new password.