0 votes

Dear all,

A client reported me a problem in Efficy 10SP2+, but I am not sure if it is a bug or a configuration problem :

Let suppose we have three users :

  • User A
  • User B
  • User C

Each user is member of a group :

  • User A : Everyone + Group 1 + Admin
  • User B : Everyone + Group 1
  • User C : Everyone + Group 2

There is a category on "contacts" called "Employee".

  • Everyone should not have access
  • Group 1 should read the content
  • Group 2 should not see the category and his content (no access then)

If User A or B modify information on a contact :

  • A and B see the information
  • C do not see the information the information in the category (he does not see the category).

So far, everything work as expected.

BUT :

  • User A, B AND user C see the change in the chronos, and what's been changed !

Is that a configuration problem or a bug ? If it is a bug, is that fixed in Efficy 11.1 ?

Thanks in advance for your help,

Regards,

Loïc

closed with the note: Answered
asked in Efficy Designer (Conficy) by (460 points)
closed by

1 Answer

0 votes

Hey Loic.

I only see the information of a category in the chronos if the field is selected in the Chronos form.

The COMP$ADDRESS.CITY field for instance, I added it as a test

Chronos Configuration - Company

Only then I see the field information in the chronos.

Chronos field change log

If I remove the field again from the form, it is no longer visible.

enter image description here

Double check if the field you don't want to share with all users is part of the form? If so, remove it.

There is also security on the change history. If I don't have rights, I don't see the category change

enter image description here

When I have the rights, I do see the change. So, that works pretty well out of the box.

enter image description here

Tested with Efficy 11.1

Regards,
Kristof

answered by (6.8k points)
Ok, thanks.

We thought the chronos would apply the security the "same way" the history change does.

We will talk with the client about that.

Regards,

Loïc
Maybe it should indeed, but it doesn't :-)
You can register it as a suggestion to R&D and refer to this post
Suggestion made
That's something that really should be corrected.
Chronos must take into account the rights on the Categories.
We'll correct this ASAP.

Cheers,
Robert
This has been corrected in SVN 14654 and will be rolled out in the next Efficy build.

As a general rule of thumb, we give high priority to security issues in Efficy; if you find scenarios in which users can see information they're not supposed to see, we will always try to correct ASAP.
Thanks a lot to you and the R&D team for the reactivity. It will be a good start to convince him to upgrade his Efficy.
Well, another security issue is that queries that display information from a category table also show this info, even if you have no rights on it. The security clause is for the record itself.
Queries created by other users can indeed show information that is usually not accessible to you.The security is governed by the fact that you are given access to and being allowed to execute the query.
It's the same with native SQL queries. Only certain users can create and modify them, but other users can execute them (if given access to the query) and potentially see results that are not compatible with their usual security settings.
We consider this a feature, not a bug :).
For SQL queries, this is anticipated behavior. For Efficy queries, users expect that security is respected, no matter who executes it. They are not going to think about that for categories.

Anyway, it's been like that since the beginning, so it's not that important
1,167 questions
1,425 answers
1,717 comments
325 users