Security risk in Selfservice portal?

We have a normal user with only domain user access rights. These users can manage their own AD groups, e.g. they are primary managers of an AD group.

While logged in via the selfservice portal as a normal user, we click on the "Groups I manage" within the portal and it show my groups.

Looking at the web browser URL, I can change my name, e.g. bob+jones to  beth+hope, and hit enter. It then shows me the other users groups they manage and I can at that point add or remove people from those groups.

Example URL: server/.../CustomCommands.aspx

I should not have the ability to change any group that I don't manage.

Within Active Roles console when logged in as admin, I'm able to see the history for that group and it shows me that my normal account made changes to the group I shouldn't have access to.

Is this something others can do or is it my console/web configuration?

Is there away to run a report to show all groups that have been changed by users that don't have primary or secondary management?

Parents
  • Peter, you described scenario in very generic term. The details of your configuration (hard to fit in the forum format) might result the observed results. On other hand, ARS is mature product on the matter and, assuming configured right, will provide correct, non-bridged security granular delegation, including SSM Primary, Secondary Owner to manage own groups.

Reply
  • Peter, you described scenario in very generic term. The details of your configuration (hard to fit in the forum format) might result the observed results. On other hand, ARS is mature product on the matter and, assuming configured right, will provide correct, non-bridged security granular delegation, including SSM Primary, Secondary Owner to manage own groups.

Children
No Data