It's all about the answers!

Ask a question

RTC: credentials running extensions

Luca Martinucci (1.0k396112) | asked Nov 06 '14, 5:46 a.m.
I wonder under which credentials are RTC plugins/extensions run.
I mean: if user X (who can or cannot do several operations according to his roles) executes an action and that action triggers a RTC extension, are the operations executed by the extension subject to the role-based limitations?
A concrete example: suppose that user X cannot edit attribute A on a work item (because his roles forbid him to do); if the extension triggered by user X tries to update attribute A, will it succeed?
I suppose that, if the extension runs with the "current user" credentials it will fail; if, instead, it runs under generic "jazz administrator" (i.e. super user) credentials, it will succeed.
I made some tests, and it seems that they run as "current user", but I need a confirmation.
My RTC version is 4.0.6

Accepted answer

permanent link
Ralph Schoon (63.2k33646) | answered Nov 06 '14, 6:31 a.m.
Participants/follow up actions, advisors and providers always run with the credentials of the user doing the operation. This has been discussed here several times already actually. 

And it is not possible to cheat and gain root permissions. This would breach all security and is not possible.
Luca Martinucci selected this answer as the correct answer

One other answer

permanent link
Susan Hanson (1.6k2201194) | answered Nov 06 '14, 6:26 a.m.
I'm running 4.0.6, and it runs in the context of the "current user".  I have found no way for it to run under any other context.

We've looked at triggering a servlet from the SSP that runs under a "special" context that could then update the work item accordingly in one situation where this is needed, but we haven't implemented that yet.


sam detweiler commented Nov 06 '14, 6:50 a.m.

I helped another user create a web service that his extension called to use the plainjava api to execute tasks under a different user context.

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.