New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Ensign Ensign
Ensign
165 views

PPM All Access Grants

Jump to solution

Hi

 

9.14.0008

 

Were trying to have the PMO take care of security groups and users.

We have givven them the following grants in the test env:

- Start Workbench

- Edit users

- Edit security groups

then we have protected all security groups and ppm admin users by declaring PPM Administrator as an owner to these objects. A PMO security group were added as an additional owner on the secgroups we want them to handle.

 

When doing this we noticed that we were not able to define an owner for the PPM All Access Grants secgroup. Its grayed out.

However the group seems to be protected by default. e.g only administrators can add users from within the security group itself. So thats fine.

Then we tried out how it works out when PMO is editing users, we noticed that they could only add securitygroups where we had defined ppm admin AND the PMO security group as owners, which was expected behaviour. However, and heres the problem that feels like a security bugg - they are able to add/select the ppm all access grant secgroup. This is NOT an expected behaviour. Can you replicate this issue?

 

Is there a fix for this?

 

/Johan

0 Likes
1 Solution

Accepted Solutions
Highlighted
Absent Member.. Absent Member..
Absent Member..

Johan,

 

I was able to replicate the problem. It is a defect,

 

QCCR1L39113 "Edit Security Groups" allows users to add themselves to "PPM All Access" grants

 

If this complete access is not desired but you need to assign a user the Edit Security Groups access grant, you can limit this ability by creating a copy of the PPM All Access Grants security group, modifying the copy of the security group to limit access to itself, and disabling the existing PPM All Access Grants security group:

1. Copy the PPM All Access Grants security group. From the Security Group Workbench, select the PPM All Access Grants security group and click Copy.

2. Edit the copied security group:

    a. In the Ownership tab, set the ability to edit the copied security group.

    b. In the Users tab, assign all users who are part of the PPM All Access Grant security group to the copied security group.

    c. Make any additional updates to limit access to the security group.

   d. Save your changes.

3. From the PPM All Access Grants security group, remove all users and save your changes.

4. Disable the PPM All Access Grants security group by running the following SQL statements:

    UPDATE knta_security_groups SET enabled_flag='N' WHERE security_group_id = 3;
    commit;

5. Restart the PPM Server

Best regards,
Randall

-- Remember to give Kudos to answers! (click the KUDOS star)
"If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”

View solution in original post

2 Replies
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi Johan,

 

I'll try to replicate the problem on our labs.

In the mean time could you please provide us the exact steps to replicate it?

 

Best regards,
Randall

-- Remember to give Kudos to answers! (click the KUDOS star)
"If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Johan,

 

I was able to replicate the problem. It is a defect,

 

QCCR1L39113 "Edit Security Groups" allows users to add themselves to "PPM All Access" grants

 

If this complete access is not desired but you need to assign a user the Edit Security Groups access grant, you can limit this ability by creating a copy of the PPM All Access Grants security group, modifying the copy of the security group to limit access to itself, and disabling the existing PPM All Access Grants security group:

1. Copy the PPM All Access Grants security group. From the Security Group Workbench, select the PPM All Access Grants security group and click Copy.

2. Edit the copied security group:

    a. In the Ownership tab, set the ability to edit the copied security group.

    b. In the Users tab, assign all users who are part of the PPM All Access Grant security group to the copied security group.

    c. Make any additional updates to limit access to the security group.

   d. Save your changes.

3. From the PPM All Access Grants security group, remove all users and save your changes.

4. Disable the PPM All Access Grants security group by running the following SQL statements:

    UPDATE knta_security_groups SET enabled_flag='N' WHERE security_group_id = 3;
    commit;

5. Restart the PPM Server

Best regards,
Randall

-- Remember to give Kudos to answers! (click the KUDOS star)
"If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”

View solution in original post

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.