Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Add access control for System Properties

Add access control for System Properties

Hello OO development team and members of OO community,

currently System Properties in OO Central have no access control. Everyone logged to Central can see them and also edit the values. This is not acceptable from both security and integrity points of view. If we store values in System Properties that all or most production flows use and an inexperienced or irresponsible user changes the values to wrong ones it could have serious impact on the execution of production flows.

Please enhance the access control possibilities for System Properties to make it possible to set who can view and edit the system properties

Kind regards

Jan Rys

AndreiTruta Outstanding Contributor.
Outstanding Contributor.
Status changed to: Waiting for Votes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

There are "View Configuration Items" and "Manage Configuration Items" permissions in OO Central.

If a person's roles do not have those permissions, then the user won't see Configuration Items tab...

Probably a more useful thing is to make more granular access to specific System Properties and SP folders, like we have for System Accounts and Flows...

kmann Valued Contributor.
Valued Contributor.

Yes, I agree!  We run a multi-tenant environment with many different business units.  The business units are separated so BU1 should not be able to view/run/modify ANYTHING of BU2.  But the way it works right now is if you give BU1 person promoter role to take care of their needs then they can see and do for everything.  It should be separated so you can give a role to a person in BU1 so they can only manage their own content and NOT anyone elses.  As it is right now, we have to take all those permissions away and be responsible for ALL.  It would make things so much easier if BU1 only saw BU1 and BU2 only saw BU2.  Please let me know if any questions or would like to see a use case.

Michael_it Honored Contributor.
Honored Contributor.

i would like to add to this Idea. that there are 2 Scenarios where Access to System Properties needs to be taken into account.

generally seeing/managing them via OO UI or API: i agree a rights model supporting multiple management teams would be appreciated.

additionally there is the Runtime access to System Properties. here it must not only take the permission of people into account. as this causes additional problems with shared automation modules/flows. means it must not only validate if the running user has access to the Systemproperty but also if potentially a parent flow in the call stack does have access



Micro Focus Contributor
Micro Focus Contributor
Status changed to: Under Consideration

The idea received enough support from the community to be considered for prioritization in our future development planing.

We will continue to monitor the idea so please expect further updates.

Micro Focus Expert
Micro Focus Expert

As mentioned by @Michael_it with details in https://community.microfocus.com/t5/Operations-Orchestration-Idea/Add-Flows-as-Option-in-System-Account-Permissioning/idi-p/1675110 many security concerns derived from use System Accounts are addresed.
Don't forget a system account password can be obtained in cleartext (I use it as a challenger exercise when I'm the instructor in OO courses)

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.