What are the security implications after setting roles to "All Tenants"?
Article ID: 102845
Updated On:
Products
SUPPORT AUTOMATION- SERVER
CA Service Desk Manager - Unified Self Service
KNOWLEDGE TOOLS
CA Service Management - Asset Portfolio Management
CA Service Management - Service Desk Manager
Issue/Introduction
There is a scenario where end users get an error message when submitting public surveys:
> AHD05237:An internal error with surveys occurred.
It happens because the access type being used by the contact is set to a role that does not have access to "All Tenants".
In order to resolve this issue, the administrator has followed a knowledge document (KB000043703) which suggests to set tenant access and tenant write access to: "All Tenants".
This role is used as the "Command Line Utility Role" field in the access type.
Based on the knowledge document (KB000043703) mentioned, is there any possibility on having users accessing data from other tenant users?
> AHD05237:An internal error with surveys occurred.
It happens because the access type being used by the contact is set to a role that does not have access to "All Tenants".
In order to resolve this issue, the administrator has followed a knowledge document (KB000043703) which suggests to set tenant access and tenant write access to: "All Tenants".
This role is used as the "Command Line Utility Role" field in the access type.
Based on the knowledge document (KB000043703) mentioned, is there any possibility on having users accessing data from other tenant users?
Environment
Service Desk 17.1
Service Desk 17.0
Service Desk 14.1
Service Desk 17.0
Service Desk 14.1
Resolution
There is no possibility on having users accessing data from other tenant users if users do not have web role access to "All Tenants". Even though there is a role being set to "All Tenants", that role will be used only for the "Command Line Utility Role" in the access type. It does not mean the role have web access to Service Desk. It allows running commands in the operational system i.e. pdm_text_cmd for tickets creation, but it does not mean an user will be able to access the operational system and execute commands.
There is no way on having users passing commands through the URL because "SOAP Web Service" and "REST Web Service" API are not enabled for "All Tenants". Any additional and specific restrictions can be made through "Data Partitions" if necessary.
There is no way on having users passing commands through the URL because "SOAP Web Service" and "REST Web Service" API are not enabled for "All Tenants". Any additional and specific restrictions can be made through "Data Partitions" if necessary.
Additional Information
Error: "AHD05237:An internal error with surveys occurred." In Browser When Submitting A Survey
https://comm.support.ca.com/kb/error-ahd05237an-internal-error-with-surveys-occurred-in-browser-when-submitting-a-survey/kb000043703
https://comm.support.ca.com/kb/error-ahd05237an-internal-error-with-surveys-occurred-in-browser-when-submitting-a-survey/kb000043703
Attachments
Feedback
Yes
No
Powered by
