IBM Support

JR44299: ATTACHED DOCUMENTS CAN'T BE VIEWED

Fixes are available

Version 8.0 Refresh Pack 1 for the IBM Business Process Manager products
Version 7.5.1 Fix Pack 2 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In this scenario the setup is as follows,

- There are two processes: BPD A and B
- BPD A has two sequential tasks: Attach and View Document.
- BPD B has a single task: View Document.
- There are two users in the same participan group: User 1 and 2
- BPD A and B are exposed to the participant group.

Reproduction steps,
1. User 1 runs BPD A and claims the Attached Doc task and
creates a document.
2. User 2 runs BPD B and claims the View Doc task to see the
document created by User 1.
RESULT: User 2 is told that he/she is not authorized.

Local fix

  • 



Problem summary


    

  • USER AFFECTED:
==> Users who have BPM documents created and accessed from
different BPDs

PROBLEM SUMMARY:
==> Users claiming tasks in one BPD cannot see document content
created by another BPD, also accessible by them.

PROBLEM DETAILED DESCRIPTION:
==> The default implementation for the authorization API shipped
with the product did not do the proper checking to determine
whether a user, requesting to see the content of a document, had
the right access to the process instance that created the
document.

The implementation only checked if the user could claim a task
in the process.  If no tasks where available the user would be
denied access.  This behaviour is incorrect.  The implementaiton
needed to check
if the user could work on any tasks in the owning process,
regardless of whether any were available, as this would imply
the user could also read the document content.

    



Problem conclusion


    

  • Fix available for 7.5.1.1 on Fix Central,
http://www.ibm.com/support/fixcentral/
Fix is also planned to be delivered in next cumulative
maintenance deliverable for 8.0.1.

The fix modified the AuthorizationAPI implementation to check
access as described in the detailed description section above.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR44299
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    750
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2012-10-07
    • 

  • Closed date
    2013-01-21
    • 

  • Last modified date
    2013-01-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    

  • R751  PSY
       UP
    • 

  • R801  PSY
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback