Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
PerthRM8 Outstanding Contributor.
Outstanding Contributor.
772 views

Average user in CM 9.3.1.300 can copy protected docs to unprotected file

Hi,

MF CM 9.3.1.300, Win10, MS Office 2016, SQL 2016:

This one is kinda urgent: Just discovered that our Standard / Average TRIM user (Downgraded Records manager profile) in MF CM9.3.1. can do a right click-New-Copy record on a TRIM document in a file where user does not have access, but can see the TRIM document number, (everything else, other metadata is greyed out); the document is then copied into the unrestricted File/folder (all metadata and also an electronic document) and visible to that user.

We need to fix this urgently, does anyone knows which permission will stop this user of copying the document from restricted folder into the un-restricted and see the document?

Thanks

 

 

 

0 Likes
10 Replies
Outstanding Contributor.. AG_LTBit Outstanding Contributor..
Outstanding Contributor..

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

Hi PerthRM8,

Can you see if you have the 'Bypass all access controls'  permission ticked? It is close to the bottom of the permission list. 

Normally they shouldn't be able to see the contained item at all.

That is the thing I thought of first when I read you question. I don't have a 9.3 environment to test against just now, so probably can't help much more at the moment.

Good luck.

AG.

-----------------------------------------------------------------------
www.ltbit.com.au
0 Likes
PerthRM8 Outstanding Contributor.
Outstanding Contributor.

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

Thanks, but this user does not have that option checked in his profile

 

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

Just one user?

CHeck the right mouse click > security and access and see if they have access to copy the document.

If that doesn't make things clear you should log a support case for investigation 

**Any opinions expressed in this forum are my own personal opinion and should not be interpreted as an official statement on behalf of Micro Focus**
0 Likes
Highlighted
PerthRM8 Outstanding Contributor.
Outstanding Contributor.

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

Thanks,

well, all users with that user type profile (I tested it with my other colleague) , and they do have right to COPY document (Right click view access rights) ... How we can determine from which permission (feature) this permission to COPY record came so that we can turn it off?

Regards

 

0 Likes
PerthRM8 Outstanding Contributor.
Outstanding Contributor.

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

Also, i checked the settings in Production environment, (TRIM 8.3 records manager) and that user type also does have the - right click view access options thing and COPY permission is there, but, but, when i wanted to do the same thing , e.g. to find the protected document where on a double click i can only see the metadata and then do the select document - New - Copy records, i could not copy that record and electronic document, the error popped up saying you do not have the right to view that document .....!!!

Then I checked the CM9.3 testing environment and realise the difference:

In PROD 8.3 we have a TRIM Corporate FILE/Container with access settings without me/that user there and the same access is replicated on the ALL documents within that restricted File

On the contrary, although in CM9.3 dataset we have a TRIM Corporate FILE/Container with access settings without me/that user there and the same access is NOT, NOT replicated on any of documents within that restricted File/Container ....

The 4th category of access level settings "Update Records Metadata" on a restricted File/Container is set to a certain group of users , but on the documents within that restricted file the "Update Records Metadata" is set to UNRESTRICTED?????? to all documents ....

How is that possible?

I thought, this is an isolated case, but all our restricted files that are copied from PROD into the test environment now have documents with the 4th category of access level settings "Update Records Metadata"   set to UNRESTRICTED?????? 

Security Level Filter conversion?

Or what is aheppening here? is this the reason why these users can do the COPY of the electronic docs from restricted files to unrestricted?

Any comments appreciated.

 

0 Likes
Regular Contributor.. rkw Regular Contributor..
Regular Contributor..

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

Did you run the Security Filter Conversion on the CM 9.3 test environment post schema upgrade?. 

0 Likes
PerthRM8 Outstanding Contributor.
Outstanding Contributor.

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

I think my colleagues are running it now ...thanks... We shall see if that will fix the situation....

There is a database timeout at the moment, can't connect to the dataset.... SQL state consequently HYT00,0

 

0 Likes
PerthRM8 Outstanding Contributor.
Outstanding Contributor.

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

Hi, some updates, but not as expected ...

the security filter conversion process failed after 15 hours :

SecurityFilterConversion(containersStage): (SERVER ADDRESS here)  Tuesday, 12 February 2019 at 18:08:06 GMT (Wednesday, 13 February 2019 at 02:08:06)
18:08:06:502       CC  3420                 5792    46683789             SecurityFilterConversion(containersStage) Consumer thread processing stopped after 893970 items were processed, **** failed with error: Content Manager Workgroup Server on 'wgs server xxxxxxx' reported an error. The SQL Dataset has reported a timeout.
Details: [Microsoft][ODBC SQL Server Driver]Query timeout expired
SQL state and native error code are consecutively  HYT00 , 0

-

Also, i have checked the situation in our other DEV environment CM9.3.1.300 where, as i had information the security filter conversion has been done successfully , and the results are also not good, the average TRIM user can copy secured document into the unsecured file together with electronic document and then see it...

so, maybe, the issue is in some other permission ...?

 

0 Likes
HeatherM1 Super Contributor.
Super Contributor.

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

I'm getting this behaviour, too, in CM 9.2.  It would appear that a user with the Create Record permission (in other words, any user above Inquiry level) has Copy Record access. 

We control this by applying access controls which prevent unauthorised users from viewing the metadata of any restricted record.  Our reasoning is that unauthorised users can deduce a fair amount just from the title of a record without viewing the actual document e.g. misconduct investigations, etc.   Therefore, for security purposes, we don't even let them know that the record exists.

0 Likes
PerthRM8 Outstanding Contributor.
Outstanding Contributor.

Re: Average user in CM 9.3.1.300 can copy protected docs to unprotected file

Thanks, it looks like that ..........., the logic seems to be on your side :-)

However, in our production system which is still 8.3 patch 2 when i try to replicate the situation (as I was concerned whether that case / behaviour exist already) and the results are negative, the error popped up saying that the protected document cannot be copied as the user does not have the "View document" permission .... so i could not make a copy (including the electronic document) of secured document into the unprotected file/container, as expected.

Obviously, the user does not have the view permission in that secured file / secured document.... user can only see the metadata ....

Somehow, in CM 9.3.1.300 or even before as you indicated, that error / warning popup is not happening for some reason...

The Micro Focus developpers are currently investigating the support case we made yesterday, and in the same time, I am also doing additional checks to see what is changed from 8.3 to 9.3 ...

Regards

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.