APAR status
Closed as fixed if next.
Error description
This is to report an error for the Search Solutions dialog in SR application. The problem arises for users that are members of a security group that has the "Authorize Group for Customer on User's Person record?" checkbox checked (SPCUSTOMER) and also separately for users that are members of a security group that has the "Authorize Group for Customers in User's Person Customer Access List?" checkbox checked (RESTRICTEDUSER). There are two related issues: 1) When searching solutions, the Search Solutions dialog shows solutions associated to the customer the logged-in user does NOT belongs to/supports. In other words, based on the group (SPCUSTOMER or RESTRICTEDUSER) the user is a member of and associated customers in the Person record, the logged-in user is seeing solutions that they should not have access to see. These are for solutions that have a customer associated. 2) When searching solutions, for solutions that have no customer associated, the Search Solutions dialog shows the solution records with X's marked through them. Steps to recreate (SPCUSTOMER scenario): 1) As admin user, create 4 solutions: a) solution record 111 associated to customer AAA; b) solution record 222 associated to customer BBB; c) solution record 333 associated to customer CCC; and d) solution record 444 associated to no customer (global). Ensure that all four solutions are set to ACTIVE status. 2) Log in as user that is member of SPCUSTOMER security group. Ensure in person record, the customer in Person tab is AAA (so logged in user belongs to AAA). 3) Create a new SR. Fill in all required fields and save. 4) On the toolbar, click on the "Search Solutions" icon. 5) Clear all the fields on the Search Solutions dialog and then press the Find button (so that it searches all solutions). Expected: In the View Solutions section, shows only the solution records associated to customer the logged-in user belongs to (i.e. solution record 111). Results: Shows solutions records associated to customers the logged-in user does NOT belong to (data segregation issue). In other words, it shows solution records 111, 222, and 333. Furthermore, for solution records that are not associated to any customers (solution record 444), it shows the record with X's marked through them. Similar recreate scenario is there for RESTRICTEDUSER case also. For RESTRICTEDUSER case, we should be able to see the global solution record 444 with no X's through it.
Local fix
na
Problem summary
**************************************************************** * USERS AFFECTED: * * Users with SP customer that just should see objects relate a * * customer * **************************************************************** * PROBLEM DESCRIPTION: * * SP restrictions are not added * **************************************************************** * RECOMMENDATION: * * Do not use relationship in the dialog mbo reference * **************************************************************** .
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
IV32362
Reported component name
SECURITY
Reported component ID
5724R46SC
Reported release
711
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-11-22
Closed date
2013-01-23
Last modified date
2013-01-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
R750 PSY
UP
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.