

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Hi,
MF CM 9.3.1.300, Win10, MS Office 2016, SQL 2016:
This one is kinda urgent: Just discovered that our Standard / Average TRIM user (Downgraded Records manager profile) in MF CM9.3.1. can do a right click-New-Copy record on a TRIM document in a file where user does not have access, but can see the TRIM document number, (everything else, other metadata is greyed out); the document is then copied into the unrestricted File/folder (all metadata and also an electronic document) and visible to that user.
We need to fix this urgently, does anyone knows which permission will stop this user of copying the document from restricted folder into the un-restricted and see the document?
Thanks


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Hi PerthRM8,
Can you see if you have the 'Bypass all access controls' permission ticked? It is close to the bottom of the permission list.
Normally they shouldn't be able to see the contained item at all.
That is the thing I thought of first when I read you question. I don't have a 9.3 environment to test against just now, so probably can't help much more at the moment.
Good luck.
AG.
www.ltbit.com.au


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Thanks, but this user does not have that option checked in his profile

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Just one user?
CHeck the right mouse click > security and access and see if they have access to copy the document.
If that doesn't make things clear you should log a support case for investigation


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Thanks,
well, all users with that user type profile (I tested it with my other colleague) , and they do have right to COPY document (Right click view access rights) ... How we can determine from which permission (feature) this permission to COPY record came so that we can turn it off?
Regards


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Also, i checked the settings in Production environment, (TRIM 8.3 records manager) and that user type also does have the - right click view access options thing and COPY permission is there, but, but, when i wanted to do the same thing , e.g. to find the protected document where on a double click i can only see the metadata and then do the select document - New - Copy records, i could not copy that record and electronic document, the error popped up saying you do not have the right to view that document .....!!!
Then I checked the CM9.3 testing environment and realise the difference:
In PROD 8.3 we have a TRIM Corporate FILE/Container with access settings without me/that user there and the same access is replicated on the ALL documents within that restricted File
On the contrary, although in CM9.3 dataset we have a TRIM Corporate FILE/Container with access settings without me/that user there and the same access is NOT, NOT replicated on any of documents within that restricted File/Container ....
The 4th category of access level settings "Update Records Metadata" on a restricted File/Container is set to a certain group of users , but on the documents within that restricted file the "Update Records Metadata" is set to UNRESTRICTED?????? to all documents ....
How is that possible?
I thought, this is an isolated case, but all our restricted files that are copied from PROD into the test environment now have documents with the 4th category of access level settings "Update Records Metadata" set to UNRESTRICTED??????
Security Level Filter conversion?
Or what is aheppening here? is this the reason why these users can do the COPY of the electronic docs from restricted files to unrestricted?
Any comments appreciated.


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Did you run the Security Filter Conversion on the CM 9.3 test environment post schema upgrade?.


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
I think my colleagues are running it now ...thanks... We shall see if that will fix the situation....
There is a database timeout at the moment, can't connect to the dataset.... SQL state consequently HYT00,0


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Hi, some updates, but not as expected ...
the security filter conversion process failed after 15 hours :
SecurityFilterConversion(containersStage): (SERVER ADDRESS here) Tuesday, 12 February 2019 at 18:08:06 GMT (Wednesday, 13 February 2019 at 02:08:06)
18:08:06:502 CC 3420 5792 46683789 SecurityFilterConversion(containersStage) Consumer thread processing stopped after 893970 items were processed, **** failed with error: Content Manager Workgroup Server on 'wgs server xxxxxxx' reported an error. The SQL Dataset has reported a timeout.
Details: [Microsoft][ODBC SQL Server Driver]Query timeout expired
SQL state and native error code are consecutively HYT00 , 0
-
Also, i have checked the situation in our other DEV environment CM9.3.1.300 where, as i had information the security filter conversion has been done successfully , and the results are also not good, the average TRIM user can copy secured document into the unsecured file together with electronic document and then see it...
so, maybe, the issue is in some other permission ...?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
I'm getting this behaviour, too, in CM 9.2. It would appear that a user with the Create Record permission (in other words, any user above Inquiry level) has Copy Record access.
We control this by applying access controls which prevent unauthorised users from viewing the metadata of any restricted record. Our reasoning is that unauthorised users can deduce a fair amount just from the title of a record without viewing the actual document e.g. misconduct investigations, etc. Therefore, for security purposes, we don't even let them know that the record exists.


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Thanks, it looks like that ..........., the logic seems to be on your side 🙂
However, in our production system which is still 8.3 patch 2 when i try to replicate the situation (as I was concerned whether that case / behaviour exist already) and the results are negative, the error popped up saying that the protected document cannot be copied as the user does not have the "View document" permission .... so i could not make a copy (including the electronic document) of secured document into the unprotected file/container, as expected.
Obviously, the user does not have the view permission in that secured file / secured document.... user can only see the metadata ....
Somehow, in CM 9.3.1.300 or even before as you indicated, that error / warning popup is not happening for some reason...
The Micro Focus developpers are currently investigating the support case we made yesterday, and in the same time, I am also doing additional checks to see what is changed from 8.3 to 9.3 ...
Regards


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Hi - is this a security bug in CM9.3.1.300? Thanks.


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
Yes, you can say that, but there are few hotfixes that have resolved this issue, I can confirm it.
cheers


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
I asked our implementation partner about this same issue in our 9.1.2 environment and they confirmed with Micro Focus that it's a known issue and is resolved in 9.3 and 9.4. They didn't clarify what version of 9.3 though...


- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file
We're on 9.31 build 300 and not going to 9.4 (I've read about deployment issues). I'll check w/ support. Thanks.