It's all about the answers!

Ask a question

unintended read access to all project areas


Steffen Kriese (381721) | asked Nov 26 '13, 3:17 a.m.
Hello,

I created a user id called DEF_DEV1 which is not a member of any project area on my RTC 4.0.4 installation. A test project area contains a stream and a component owned by this project area. The visibility is limited to the project area.  Surprisingly the DEF_DEV1 user id has access to all files in the test project area.
Any Idea how I can limit the read access to a project area to the members of this project area?.

Kind Regards, Steffen 


Comments
Steffen Kriese commented Nov 28 '13, 3:12 a.m. | edited Nov 28 '13, 4:25 p.m.

Some screen shots from my scenario:

The user ID is not member of any project:



The user ID has no repository permissions:

The user ID has a developer licenses:





The user management is done via LDAP:


DEF_DEV1 is not a member of the project area:


The access is limited to members of the project hierarchy:

the visibility of the component is limited to he project area:

the ID DEF_DEV1 can see the java code:

 


Steffen Kriese commented Nov 28 '13, 4:16 a.m. | edited Nov 28 '13, 4:26 p.m.

Did some more investigations:
the file read access permission for all files is set to public. When creating a new file the read access permission is also set to public. Is there a way to change the read access permission?


Geoffrey Clemm commented Nov 28 '13, 4:40 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

When you say "has access to all files in the test project area", what specifically did that user do to read those files?

5 answers



permanent link
David Lafreniere (4.1k7) | answered Nov 27 '13, 12:39 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
Hi Steffen,

I just installed RTC 4.0.4 and tried to reproduce the steps that you did, I could not observe the same behavior.

As an assumption, when I was testing the part where you said "has access to all files in the test project area.", I was testing to see if that user could see the Stream in the team artifacts view of in the Eclipse RTC clinet (an likewise use "Show" --> "Repository Files" on a component). Note: This is a stream which has the owner and visibility is the project area as you mentioned).

Some explanations for that behavior however include:
-In the Project Area editor, on the "Access Control" tab, if the selection is on "Everyone" instead of "Members of the project area hierarchy" then any user could see the source.
-Otherwise, if the "Access Control" is set to "Members of the project area hierarchy", then the user could see the source. (perhaps he was added as a member by accident somehow)
-The user could also have a repository permission role of "JazzAdmins", and it would not matter if he was assigned a stakeholder, contributor, or developer license, they would still be able to see the source.
-Another explanation, however unlikely, is that you changed the license or repository permission in the web-ui, and either forgot to hit save, or the request didn't go through.

I also verified what Ralph said in the same 4.0.4 Install you tried.
ex:
1. The project has access control. If It is readable by everyone, everyone can access everything on project level, unless otherwise hidden.
2. If someone has no license at all, they can not access the source code (but the work items)
3. If a stream is owned by a project area the visibility is always project area level - you can't change it. So who can access the project area and has a license can access it.
4. If a stream is owned by a team, AND the visibility is limited to the team, only team members can open the team
5. If you limit access control, only users that have access can access the project data.

As a reference for anyone reading this, here's information on what the the different licenses allow a user to do (reminder, the contributor license has read access to source, but not write access, and the stakeholder license does not even have read access to source - I verified this in my RTC 4.0.4 Install):
https://jazz.net/library/article/548/
http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0/index.jsp?topic=%2Fcom.ibm.jazz.repository.web.admin.doc%2Ftopics%2Fc_license_mgmt_over.html

Here are some articles and blogs about how permissions work in RTC (and some different ways to hide source from users)
-Process permissions lookup in Rational Team Concert 2.0 (https://jazz.net/library/article/291)
-Process behavior lookup in Rational Team Concert 2.0 (https://jazz.net/library/article/292)
-Enhanced source control permissions in the next release of Rational Team Concert (RTC 3.0.1) (https://jazz.net/blog/index.php/2011/05/23/enhanced-source-control-permissions-in-the-next-release-of-rational-team-concert/)
-Patterns for read-protecting source code  (RTC 2.0) https://jazz.net/blog/index.php/2009/05/21/patterns-for-read-protecting-source-code-2/
-Getting Started with Project Areas and Process in Rational Team Concert 2.0  (RTC 2.0) (https://jazz.net/library/article/137/)


permanent link
Geoffrey Clemm (29.2k23035) | answered Nov 27 '13, 3:44 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
For read access control of file content for non-admin users, only two things matter:
- The access control specified for the project area that owns the component that contains that file
- The access control specified for a particular file.
You can see the content of a file version only if you have read access to the component, and you have read access to the particular file.

Note that I have said nothing about streams.   That is because read access to a stream only determines whether you are allowed to see what is the current configuration of that stream.  Even with no read access to any stream, if you have read access to a component, you can see all of the change sets in that component, which gives you access to the content of all versions of all files in that component (except for a file that has explicit access control that doesn't let you see any of the versions of that file).




In order to control read access, the access control on a stream is largely irrelevant

permanent link
Arun K Sriramaiah (3.2k1837) | answered Nov 26 '13, 3:49 a.m.
Hi Steffen,

I think the user might be assigned Jazzadmin repository permission. it will be having an access to all the files but not able to modify any changes ( unless he has got assigned roles in the project area and developer licenses)

Uncheck the JazzAdmin Repository Permission and give JazzUser repository permission.

I don't think so you can limit the read-access on the source files under component but you can restrict by enforcing permission to modify the files.

Please let me know if you need any further information.

Regards,
Arun


Comments
Steffen Kriese commented Nov 26 '13, 7:37 a.m. | edited Nov 26 '13, 8:31 a.m.

Hello,

initially the user id had JazzGuests, JazzUsers and <label for="JazzProjectAdminsCheckBox"> JazzProjectAdmins permissions. Removed first
</label>  JazzProjectAdmins then JazzGuests and finally all permissions. The user id can still see all code.

Kind Regards, Steffen


permanent link
Ralph Schoon (55.1k23642) | answered Nov 26 '13, 7:54 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Nov 26 '13, 7:54 a.m.
Steffen this is just a guess, but probably valid. RTC is built for transparency, so any user can see information.
If you want to limit read access to a project, check the access tab. That tab allows you to restrict read access to the members of the project.

You can also try to set the visibility of the streams to a team area inside of the project. I think that should hide it from users not in the team area.

I know in the past, to make it sure the code can not be seen, but work items can, the suggestion was to use one open project for work items and another project with access limitations for SCM. This makes it unlikely for users not supposed to see any code, even if someone accidentally changed the visibility. As far as I know this is how we develop RTC and the other products too. The work items are in one project, the code is in one with limited access rights.

I am not sure if the user being able to see the code is by design, even if visibility is limited to the project area. You might want to file a PMR or defect for that, if you think this is a defect. I will check soon, if I see the same.


Comments
Ralph Schoon commented Nov 26 '13, 8:29 a.m. | edited Nov 26 '13, 8:30 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Steffen, I just tried it and it is consistent, like it or not, with my description above.

1. The project has access control. If It is readable by everyone, everyone can access everything on project level, unless otherwise hidden.
2. If someone has no license at all, they can not access the source code (but the work items)
3. If a stream is owned by a project area the visibility is always project area level - you can't change it. So who can access the project area and has a license can access it.
4. If a stream is owned by a team, AND the visibility is limited to the team, only team members can open the team
5. If you limit access control, only users that have access can access the project data.


sam detweiler commented Nov 26 '13, 8:50 a.m. | edited Nov 26 '13, 8:59 a.m.

If you take away the developer license, and just leave contributor or stakeholder, then those users will not have any access to the source.. (no access)

that is how we setup our system to satisfy the auditors, and was the IBM recommended solution.

and I just confirmed that stakeholder and contributor do not have access to the source control elements.(components or streams)
only workitems


Ralph Schoon commented Nov 26 '13, 8:59 a.m. | edited Nov 26 '13, 9:06 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Sam, I tried that with 4.0.5 RC1 and the user still can see the code with

  • a stakeholder or contributor license
  • only having guest repository role
The user could still see the code in the Web UI. I logged out and back in, closed the session etc, after changing the license. I am pretty sure it is as I describe. The user might not be able to load a repo workspace etc. in Eclipse, but he can browse the SCM data.


sam detweiler commented Nov 26 '13, 9:09 a.m.

Hm.. here I logged on with my user Mark, who is contributor, with the project connected in Eclipse under a user who DID have access



I see the component names in the web ui, but not the files, change sets..
this is 4.0.3 server


Ralph Schoon commented Nov 26 '13, 9:13 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Please try the Web UI, Sam.


sam detweiler commented Nov 26 '13, 9:18 a.m.

ok, eclispe UI with developer user


web view for contributor user



Ralph Schoon commented Nov 26 '13, 9:23 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

I did not hide on component level, because the question was for the stream level.


sam detweiler commented Nov 26 '13, 9:27 a.m.

I did not change any settings.. this is OOtB behavior. If I change the user license to developer everything shows up.






Ralph Schoon commented Nov 26 '13, 9:28 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Here is a contributor user not in the project browsing a stream - I tried different browsers too. Note 4.0.5 RC1



sam detweiler commented Nov 26 '13, 9:32 a.m.

Hm.. when I try to access the flow targets with the contrib user I get


sounds like there is a security regression in 4.0.5 rc1


Ralph Schoon commented Nov 26 '13, 9:49 a.m. | edited Nov 26 '13, 9:56 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

I am not sure what the status on 4.0.5 is. I will try to pass that on.


sam detweiler commented Nov 26 '13, 9:56 a.m.

and just to add the rest of the data. the user Mark on my system has JazzUser and JazzProjectAdmin repo access set, AND is a member of the project (Stakeholder)
(If I add 'team member' no change)

If I then change the user client access license type from contributor to developer, the user has access to the source on both web and eclipse.


Ralph Schoon commented Nov 26 '13, 10:02 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

This was a version that was not yet released, however, I have noticed someone to have a look.


David Lafreniere commented Nov 27 '13, 3:14 p.m.
FORUM MODERATOR / JAZZ DEVELOPER

I tested the behavior in 4.0.4 and 4.0.5 and am observing the same expected behavior (see my answer to the main question).

Note: Even with the correct membership/access, users with stakeholder licenses should not be able to see source code. Users with contributor licenses should have 'read' access to the source, but not write access. And the developer role license allows read and write of source. From there, process area membership, access, stream / component ownership/visibility can be applied to control the access of source further.

(see the URLS posted in my original answer to the question on the expected behavior with regards to the licenses)

It's possible that I missed where the possible regression or issues were as per the discussion above, if you think I did, please mention what behavior you think is broken specifically, and on which version of RTC and I can try to re-verify.


Geoffrey Clemm commented Nov 27 '13, 3:35 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Note that in general, you should never be using license assignment as a form of read-access control.  It may be that certain data is (or appears to be) hidden if you don't have a particular license, but you should not count on that behavior being true in all GUI's, and should not count on that behavior as staying true from release to release. 


Steffen Kriese commented Nov 28 '13, 5:02 a.m.

Ralf,
we have one project area for work items and several other project areas for source code. We need to limit the read access to each source code project area to the members of this project area. Only people with need to know must have read permissions to the source code. From the RTC documentation and your comments this should work by limiting the visibility of components to project or team areas. I was prototyping this for our RTC 4.0.4 test installation and found that all users on the server have read access even if they are not a member on any project area.
The behavior is independent form the RTC client I see the same in windows, linux, eclipse or web client.
Regards, Steffen    


Ralph Schoon commented Nov 28 '13, 5:09 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

My answer as well as the answer of my peers Geoff and David, as I interpret them, is to set the Access Control of the projects hosting source to something other than "Everyone".

Every other attempt is too error prone, labor intensive and doomed to fail in the long term.


sam detweiler commented Nov 28 '13, 7:40 a.m.

Unfortunately, that alone is not enough. there are valid reasons for user without source read access to have access to a project.

In my prior case it was the Support personnel, who needed to work on workitems, but were not allowed to see the source.


Geoffrey Clemm commented Nov 28 '13, 4:45 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

If you want different read access for a component from work items, just create a new project area with the right access control for the component, and change the ownership of that component to be that new project area.

showing 5 of 19 show 14 more comments

permanent link
Steffen Kriese (381721) | answered Nov 28 '13, 3:16 a.m.
My previous comment contained a lot of screenshots. looks like they are not uploaded since I have not enough reputation ........

Your answer


Register or to post your answer.