Direct links to fixes
APAR status
Closed as program error.
Error description
The current REST APIs allow all authenticated users to receive information about all users, groups, and teams. An operation mode is needed restricting access to concerned parties, such as IBM Business Process Manager (BPM) administrators, team managers, or users who are associated with specific work.
Local fix
Problem summary
By using REST APIs, you can limit authorization when users access user, group, or team information. For instance, a user can access any other user's details, including group memberships, or access all available groups including the memberships they contain.
Problem conclusion
A fix is/will be available for IBM BPM that enhances authorization control for REST APIs by governing access to user, group, and team information. To enable the enhanced authorization control, add the following setting to your 100Custom.xml file: <server> <portal merge="mergeChildren"> <authorization-enabled-for-org-info>true </authorization-enabled-for-org-info> </portal> </server> The enhanced authorization control enforces the following authorization rules when users access user-, group-, or team-related REST APIs: View user information: .../user/<userIdOrName>, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) for all users - All users for viewing data about themselves - Users are enabled by the following policies: -- ACTION_REFRESH_USER policy -- ACTION_MANAGE_ANY_USERATTRIBUTE policy Refresh user information: .../user/<userIdOrName>?refreshUser=true, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Users authorized by the ACTION_REFRESH_USER policy Update user attributes: .../user/{userNameOrID}?action=setPreference, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) for all users - Users authorized by the ACTION_MANAGE_ANY_USERATTRIBUTE policy View users information: .../users, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) View potential collaborators for a claimed task: .../users?collabTaskidFilter=..., is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Users authorized to invite others to collaborate on a task: Task owner View potential reassignees for a received or claimed task: .../users?assignTaskidFilter=..., is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Users authorized to reassign the task to other users, such as -- Task owner, if enabled by ACTION_REASSIGN_TASK_USER_ROLE policy -- Task team managers -- Instance owners View group information: .../group/<groupIdOrName>, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Team managers (if the specified group corresponds to a team) View groups information: .../groups, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) View team information: .../team/<teamIdOrName>, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Team managers View team information: .../participantGroup/<pgIdOrName>, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) To download the fix, go to Fix Central (http://www.ibm.com/support/fixcentral) and, search for JR52601: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR52601, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Not applicable
Comments
APAR Information
APAR number
JR52601
Reported component name
BPM ADVANCED
Reported component ID
5725C9400
Reported release
855
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-02-23
Closed date
2015-04-17
Last modified date
2015-04-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 August 2023