What are the security implications after setting roles to "All Tenants"?
book
Article ID: 102845
calendar_today
Updated On:
Products
SUPPORT AUTOMATION- SERVERCA Service Desk Manager - Unified Self ServiceKNOWLEDGE TOOLSCA Service Management - Asset Portfolio ManagementCA Service Management - Service Desk Manager
Issue/Introduction
There is a scenario where end users get an error message when submitting public surveys:
> AHD05237:An internal error with surveys occurred.
It happens because the access type being used by the contact is set to a role that does not have access to "All Tenants".
In order to resolve this issue, the administrator has followed a knowledge document (KB000043703) which suggests to set tenant access and tenant write access to: "All Tenants".
This role is used as the "Command Line Utility Role" field in the access type.
Based on the knowledge document (KB000043703) mentioned, is there any possibility on having users accessing data from other tenant users?
Environment
Service Desk 17.1 Service Desk 17.0 Service Desk 14.1
Resolution
There is no possibility on having users accessing data from other tenant users if users do not have web role access to "All Tenants". Even though there is a role being set to "All Tenants", that role will be used only for the "Command Line Utility Role" in the access type. It does not mean the role have web access to Service Desk. It allows running commands in the operational system i.e. pdm_text_cmd for tickets creation, but it does not mean an user will be able to access the operational system and execute commands.
There is no way on having users passing commands through the URL because "SOAP Web Service" and "REST Web Service" API are not enabled for "All Tenants". Any additional and specific restrictions can be made through "Data Partitions" if necessary.