The application suffers from a lack of access controls on multiple API endpoints. For example, a normal user within the application can find all other users by interacting with the endpoint /sigma/rest/protected/campaigns/search/users/

IP 14.5.1 CHF1

Truesec recommends implementing access control for all sections of the application, so that users are only allowed to reach the resources that they are authorized to access. Moreover, the role of the user should be controlled to verify that the user is authorized to access the requested event.

Access control in the Identity Portal is implemented at the module level. So the administrator can decide who can access which module on the IP. The Identity Portal serves as the user interface for both the Identity Governance and the Identity Manager. Access control mechanisms are already in place within both the Identity Governance and the Identity Manager products.