Question on Project Area access restriction
I have a RTC 2.0 server set up to host multiple project areas. Some of them are configured for "Everyone" access while others are more restrictive.
For the more restrictive ones, if a user who has not been granted access tries to access that project area via the WebUI, they will be redirected to the Project Area listing. I would prefer that they see a message indicating that they do not have access rights to that project area. Is there a way to have this type of behavior?
For the more restrictive ones, if a user who has not been granted access tries to access that project area via the WebUI, they will be redirected to the Project Area listing. I would prefer that they see a message indicating that they do not have access rights to that project area. Is there a way to have this type of behavior?
5 answers
At present, RTC does not have a mechanism to display informative message if a user tries to access a project area for which he does not have access rights.
A user can only view project areas for which he has been granted access rights. And if he tries to access any project area where he does not have read access through a URL in web UI, he will be redirected to Project Area Listing.
-Shivank
Jazz Process Team
A user can only view project areas for which he has been granted access rights. And if he tries to access any project area where he does not have read access through a URL in web UI, he will be redirected to Project Area Listing.
-Shivank
Jazz Process Team
I have a RTC 2.0 server set up to host multiple project areas. Some of them are configured for "Everyone" access while others are more restrictive.
For the more restrictive ones, if a user who has not been granted access tries to access that project area via the WebUI, they will be redirected to the Project Area listing. I would prefer that they see a message indicating that they do not have access rights to that project area. Is there a way to have this type of behavior?
That's unfortunate since we have static bookmarks in our solution that aren't sensitive to user access rights in RTC. Can a workitem be opened to at least provide an intermediate information box prior to the redirect?
At present, RTC does not have a mechanism to display informative message if a user tries to access a project area for which he does not have access rights.
A user can only view project areas for which he has been granted access rights. And if he tries to access any project area where he does not have read access through a URL in web UI, he will be redirected to Project Area Listing.
-Shivank
Jazz Process Team
Note that some customers would consider it a security problem to produce
an error message of the form "you don't have read access to this
project" because it exposes the fact that the project exists.
Regards,
Geoff
spogue wrote:
an error message of the form "you don't have read access to this
project" because it exposes the fact that the project exists.
Regards,
Geoff
spogue wrote:
That's unfortunate since we have static bookmarks in our solution that
aren't sensitive to user access rights in RTC. Can a workitem be
opened to at least provide an intermediate information box prior to
the redirect?
At present, RTC does not have a mechanism to display informative
message if a user tries to access a project area for which he does
not have access rights.
A user can only view project areas for which he has been granted
access rights. And if he tries to access any project area where he
does not have read access through a URL in web UI, he will be
redirected to Project Area Listing.
-Shivank
Jazz Process Team
In our situation, the projects are known via a front-end portal. Relative to your concern, the message certainly be phrased to leave that ambiguous, such as with userid/password validation...."The information is either incorrect or not available"...
Redirecting without a message appears more like a bug to an average user.
Redirecting without a message appears more like a bug to an average user.
Note that some customers would consider it a security problem to produce
an error message of the form "you don't have read access to this
project" because it exposes the fact that the project exists.
Regards,
Geoff
On Wed, 28 Oct 2009 18:07:58 +0000, spogue wrote:
If you hit a URL that specifies a project area that can't be found (for
whatever reason), it seems reasonable that we could show an error
message. Please file an enhancement request for this.
--
Jared Burns
Jazz Process Team
In our situation, the projects are known via a front-end portal.
Relative to your concern, the message certainly be phrased to leave that
ambiguous, such as with userid/password validation...."The information
is either incorrect or not available"...
Redirecting without a message appears more like a bug to an average
user.
If you hit a URL that specifies a project area that can't be found (for
whatever reason), it seems reasonable that we could show an error
message. Please file an enhancement request for this.
--
Jared Burns
Jazz Process Team