A XOG user should have the combination of the access rights to perform XOG read and XOG write actions plus access rights to the particular object instances for viewing the data. If the XOG user doesn't have the access right to the particular object instance data from the application UI, the XOG user shouldn't be able to XOG read or XOG write data for the object instances.
The combination of access rights for a XOG user and the Project Object works as expected. If the XOG user does not have access to view an instance data for Non-Project Investment Objects (NPIO), the user will still be able to XOG read this data and should not be allowed to see this data.
Specifically for the STR, the XOG user will be able to XOG read instance data for Resources, Ideas and Users when only XOG Access rights are granted without any other access rights.
Steps to Reproduce:
Expected: The XOG read action should generate no results or message to indicate the user is not authorized to view the data.
Actual: The XOG read action generated instance data output although the XOG_USER is not authorized to see the data.
Restrict the end-user from the ability to XOG Ideas or other objects that exhibit this behavior by removing the Object - XOG Access rights.
This issue has been documented as CLRT-25002 and is assigned to development for review. If you are experiencing this problem and the workaround above does not significantly help, please contact CA Clarity Technical Support.
Keywords: CLARITYKB, clarity12open, xml open gateway, security.