REST API and attribute codes
search cancel

REST API and attribute codes

book

Article ID: 387095

calendar_today

Updated On:

Products

Clarity PPM SaaS Clarity PPM On Premise

Issue/Introduction

When doing some REST API calls, some of the internal field attribute codes in URL may become available to be seen. Is this a vulnerability? 

Environment

Any Supported Clarity Release 

Resolution

  • This is by design. 
  • There are no plans to make any changes to how those are displayed
  • The names and labels of Clarity attributes are considered to be metadata and not sensitive data. 
  • Most of the Clarity requests where the attribute codes can be seen are only available with users permissions, such as API -Access
    • We recommend making sure this permission is granted accordingly only to users who are supposed to have it
  • If any of the attribute names are something you consider sensitive, we recommend using more generic custom attribute names instead
    • User-defined / or custom attributes created through Studio are controlled by your administrator and they can ensure the attribute label and attribute id and attribute API are defined in a generic manager as to not expose sensitive information