IBM Support

JR52601: CANNOT RESTRICT ACCESS TO INFORMATION BY USING REST APIS

Direct links to fixes

8.5.0.1-WS-BPM-IFJR52601
8.5.6.0-WS-BPM-IFJR52601
bpm.8560.cf1.delta.repository.1
bpm.8560.cf1.delta.repository.2
8.0.1.3-WS-BPM-IFJR52601
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products
Version 8.5 Refresh Pack 7 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The current REST APIs allow all authenticated users to receive
information about all users, groups, and teams. An operation
mode is needed restricting  access to concerned parties, such as
IBM Business Process Manager (BPM) administrators, team
managers, or users who are associated with specific work.

Local fix

  • 



Problem summary


    

  • By using REST APIs, you can limit authorization when users
access user, group, or team information. For instance, a user
can access any other user's details, including group
memberships, or access all available groups including the
memberships they contain.

    



Problem conclusion


    

  • A fix is/will be available for IBM BPM that enhances
authorization control for REST APIs by governing access to user,
group, and team information.

To enable the enhanced authorization control, add the following
setting to your 100Custom.xml file:

<server>
  <portal merge="mergeChildren">
    <authorization-enabled-for-org-info>true
    </authorization-enabled-for-org-info>
  </portal>
 </server>

The enhanced authorization control enforces the following
authorization rules when users access user-, group-, or
team-related REST APIs:

View user information: .../user/<userIdOrName>, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup) for all
  users
- All users for viewing data about themselves
- Users are enabled by the following policies:
-- ACTION_REFRESH_USER policy
-- ACTION_MANAGE_ANY_USERATTRIBUTE policy

Refresh user information:
.../user/<userIdOrName>?refreshUser=true, is enabled for
- IBM BPM  administrators (members of the bpmAdminGroup)
- Users authorized by the ACTION_REFRESH_USER policy

Update user attributes:
.../user/{userNameOrID}?action=setPreference, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup) for all
  users
- Users authorized by the ACTION_MANAGE_ANY_USERATTRIBUTE policy

View users information: .../users, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)

View potential collaborators for a claimed task:
.../users?collabTaskidFilter=..., is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)
- Users authorized to invite others to collaborate on a task:
  Task owner

View potential reassignees for a received or claimed task:
.../users?assignTaskidFilter=...,
is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)
- Users authorized to reassign the task to other users, such as
-- Task owner, if enabled by ACTION_REASSIGN_TASK_USER_ROLE
   policy
-- Task team managers
-- Instance owners

View group information: .../group/<groupIdOrName>, is enabled
for
- IBM BPM administrators (members of the bpmAdminGroup)
- Team managers (if the specified group corresponds to a team)

View groups information: .../groups, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)

View team information: .../team/<teamIdOrName>, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)
- Team managers

View team information: .../participantGroup/<pgIdOrName>, is
enabled for
- IBM BPM administrators (members of the bpmAdminGroup)


To download the fix, go to Fix Central
(http://www.ibm.com/support/fixcentral) and, search for JR52601:

1. Select IBM Business Process Manager with your edition from
  the product selector, the installed version to the fix pack
  level, and your platform, and then click Continue.

2. Select APAR or SPR, enter JR52601, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

    



Temporary fix


    

  • Not applicable

    



Comments


    

  • 



APAR Information




    

  • APAR number
    JR52601
    • 

  • Reported component name
    BPM ADVANCED
    • 

  • Reported component ID
    5725C9400
    • 

  • Reported release
    855
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-02-23
    • 

  • Closed date
    2015-04-17
    • 

  • Last modified date
    2015-04-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 August 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback