Ideas Dependencies tab - Unauthorized Access

book

Article ID: 206407

calendar_today

Updated On:

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

In Ideas under the Dependency tab, users are able to see / associate / add ideas with limited access.

  1. If they have view or edit access to an idea, they are able to add the respective idea as a dependency.
  2. Additionally, if User1 doesn't have view / edit access to idea2 but User2 adds idea2 as a dependency to an idea User1 does have view / edit /author (Idea - Initiator (Auto)) access to, then User1 is able to see idea2 in the dependency list. If the user clicks on the idea without view access, they get an error preventing them from accessing the idea details: 

Error 401 - Unauthorized. You are not authorized to view the page. If you are sure you have access, try logging in again or contact your system administrator.

Is there a way we can we control this to not show ideas that the user does not have access to?

Cause

This is expected behavior:

  1. If the user has View or Edit access to an idea, this gives the user access to be able to add the idea as a dependency to ideas they do have edit access to.
  2. If they don't have view/edit access to an idea, they will still be able to view ideas that have a dependent relationship with their idea. By another user adding an idea (IE Idea1) as a dependency to an idea (IE Idea2), this is authorizing the users with access to Idea1 to have the ability to view the idea (Idea2) dependency relationship for awareness. There is no additional access added when the dependency is added, the right to view the dependency is included as part of Idea - View, Idea - Edit, or Idea - Initiator (Auto) rights for Idea1.

Environment

Release : All

Component : CA PPM PROJECT MANAGEMENT

Resolution

In order to prevent a user from adding another idea as a dependency, you would have to remove any idea view / edit access to the idea from the user's rights in Clarity. (Check at the global, OBS, and Instance levels for these rights for the user).

There's no way to restrict a user who has view / edit / initiator access to one idea (idea1) from viewing dependencies associated with their idea (idea1). 

 

Additional Information

To submit an idea to request a change in the behavior see: Enhancement Requests for Clarity