Screen permission on product GUI should not be used as a security safeguard for import jobs.
Screen permission prohibits certain non-administrator users from having access to various attributes on WPC. Customers have reported that, in spite of having screen permission set up for WPC's user interface, these users were able to modify the data in the restricted-access attributes by running an import job that contains values for these attributes.
Screen permission is only a security feature for the product user interface. It prohibits user access to various fields through the GUI. However, if the user is allowed to have scripting access, which includes import console access (since import is essentially scripting), there is virtually very limited security set against that user. The native WPC import rule provides only ACG access, file format check and import approver (not usually used by WPC clients). Thus, if the user is allowed to have access to this import console (either create or run a new import job), and if he or she has followed all the "rules" (correct ACG group and file format), he or she will have access to all fields of, say, a certain catalog through the import job, since WPC doesn't verify the content of the import being performed. However, when user goes back to the GUI again after finishing the import job, they will still not be able to modify the data through the GUI, although the data showing on GUI at this point has already been altered via the import job.
Resolving the problem
The only way to achieve this type of granular security control is through custom import scripts. Support does not provide this type of service. Please contact your local IBM Professional Service Team for fee-based assistance. Otherwise, not allowing the user to run any import job is the best alternate choice to prevent security breach on WPC.
|Information Management||InfoSphere Master Data Management Server for Product Information Management||AIX, Linux, Solaris||6.0, 9.0, 9.1|
|Information Management||InfoSphere Master Data Management Collaboration Server||AIX, Linux, Solaris||10.0|
Infosphere Master Data Management Collaboration Server
MDM Server for PIM
WebSphere Product Center
InfoSphere MDM Server for PIM
InfoSphere Master Data Management Server for Product Information Management
More support for:
WebSphere Product Center
Software version: 5.3.2
Operating system(s): AIX, Linux, Solaris
Reference #: 1291906
Modified date: 01 November 2012