Skip to main content
avillanueva
23-Emerald I
avillanueva23-Emerald I
23-Emerald I
November 10, 2023
Solved

Agreement creators and Secured Objects - How to block admins?

  • November 10, 2023
  • 1 reply
  • 1441 views

Here is a thought exercise for you. Best practice is to never have a process where some one can create a request and approve their own access. It should be a two step, two person process. Take agreements for example. With this rule, I can setup a single approve/reject workflow for a data owner to approved access to secured documents through agreements. The data owner however, cannot create the agreement or initiate the process. This works perfectly and can be done via ACLs. I found I need to at least grant read access for the data owner to see the agreement but it did move it through its lifecycle to the approved state. 

 

I also found that I need to bootstrap the data owners own access via a context-based agreement. I made an open ended agreement for the data owner to view anything that is in their context. For anyone else, the data owner can allow in too via this method. I know system states that you should use the labels unrestricted group to do this but does that not mean the data owner can view data in ALL contexts that label is set? Not good.

 

Currently, I have the agreement managers group set to be the unrestricted group for my two labels. For items specific agreements, the creator of the agreement must be able to see the object they are adding to the agreement. I am thinking what would be the case if they were not the same groups. 

 

Here is the question: How can I have an agreement manager, someone who can create and agreement (the access request) complete their task BUT not themselves be able to see the data since they do not have a need to know? Same is true of many IT functions that are granted access to see everything on the network, all folders, etc. 

    Best answer by avillanueva

    Maybe. I created a test IT admin user who is a member of Administrators but where I denied access to download any content. I also made them a member of the Agreement Managers who are also unrestricted participants to the security labels. The IT admin user is able to see the objects that are restricted and create agreements. What I did see was the denial messages for this user when they accessed the details page. This was mainly due to the WVS thumbnails when it tried to render them on the page. I think I should be able to tailor the download ACL to allow for these if it does not expose too much. If I can allow thumbnails but block other content, that would reduced the exceptions.

    2023-11-13 16:06:53,332 ERROR [ajp-nio-127.0.0.1-8010-exec-7] wt.wvs.content.FileHelper itadmin - Message: Resource bundle/Message key = wt.content.contentRes
ource/65 (wt.content.contentResource/65) wt.access.NotAuthorizedException: ATTENTION: Secured Action. File download access denied. You do not have permission t
o download this file.
 at wt.content.ContentDownloadAccessDelegate.checkAccess(ContentDownloadAccessDelegate.java:151)
 at wt.content.ContentDownloadAccessHelper.hasDownloadAccess(ContentDownloadAccessHelper.java:330)

     So, this user does not have much functionality in the system but it is a solution to my original problem. I can create an admin who can create Agreements, see restricted content BUT is blocked from downloading and viewing that content. 

    1 reply

    Fadel
    Fadel23-Emerald I
    23-Emerald I
    November 13, 2023

    This not possible OOTB , you may refer to https://www.ptc.com/en/support/article/cs364768 

    Fadel_0-1699872288765.png

     

     

    Buiꓘa
    avillanueva
    23-Emerald I
    avillanueva23-Emerald IAuthor
    23-Emerald I
    November 13, 2023

    I am not sure I follow with your highlights of owner. Let's assume the following. Bob and Janet are Agreement managers and are allowed to create Agreements in a particular context. Mary is the approver of agreements to allow access and this is done via a workflow. Bob gets a request to allow Joe to access a secured document 12345. Bob needs to be able to see the document to add it to the agreement. Bob should never have access to view the document...so is the solution to deny download to agreement managers?  Did I just solve it?

      avillanueva
      23-Emerald I
      avillanueva23-Emerald IAuthorAnswer
      23-Emerald I
      November 13, 2023

      Maybe. I created a test IT admin user who is a member of Administrators but where I denied access to download any content. I also made them a member of the Agreement Managers who are also unrestricted participants to the security labels. The IT admin user is able to see the objects that are restricted and create agreements. What I did see was the denial messages for this user when they accessed the details page. This was mainly due to the WVS thumbnails when it tried to render them on the page. I think I should be able to tailor the download ACL to allow for these if it does not expose too much. If I can allow thumbnails but block other content, that would reduced the exceptions.

      2023-11-13 16:06:53,332 ERROR [ajp-nio-127.0.0.1-8010-exec-7] wt.wvs.content.FileHelper itadmin - Message: Resource bundle/Message key = wt.content.contentRes
ource/65 (wt.content.contentResource/65) wt.access.NotAuthorizedException: ATTENTION: Secured Action. File download access denied. You do not have permission t
o download this file.
 at wt.content.ContentDownloadAccessDelegate.checkAccess(ContentDownloadAccessDelegate.java:151)
 at wt.content.ContentDownloadAccessHelper.hasDownloadAccess(ContentDownloadAccessHelper.java:330)

       So, this user does not have much functionality in the system but it is a solution to my original problem. I can create an admin who can create Agreements, see restricted content BUT is blocked from downloading and viewing that content. 

        Terms & ConditionsAccessibility statement