Kaseya Community

feature request

  • I ran into a possible security issue with reporting today when I was setting up a user account for a external user.

    Heres the deal, if an admin has a shared report, it is viewable to everyone. Then the new user account who only has access to one group decides to run the report, they can get data from other groups. Not good.

    the feature that I am requesting is sharing with rights. Just like the view sharing.


    Legacy Forum Name: feature request,
    Legacy Posted By Username: rodbibeau
  • That sounds like a serious flaw that should be reported to Support asap. If a user only has access to a specific group or groups, then their report, regardless of private, public, or shared, should only bring up data from machines that belong to their own group.

    If this isn't the case, it needs to be fixed.


    Legacy Forum Name: Server,
    Legacy Posted By Username: vplaza
  • Hmm, this would be a critical issue for us if it were true, so I just tested this.


    1. I created a new Admin with access to only one group that had one machine.
    2. I logged in as a master admin and shared one of my reports, a modified Aggregate Table report with the Group ID for a group that I know the new Admin that I created has no access to.
    3. I logged back in as the new Admin and tried to run that shared report. I got no data. The report header said that it was for the machine group that I saved with the report as a master, but no data below.

    Are you saying that you are able to see data from other machines that the admin that you created does NOT have access to under System->Group Access?

    Thanks.
    Vince


    Legacy Forum Name: Server,
    Legacy Posted By Username: vplaza
  • Yes,

    I had shared reports with a specific group set. The new user did not have rights to this group. They ran he report, and pulled data from a group they did not have access to.

    We are still on 4.6.1. Maybe they fixed this issue with 4.6.3.


    Legacy Forum Name: Server,
    Legacy Posted By Username: rodbibeau
  • Yikes. Sounds like something to definitely report to Support.

    Legacy Forum Name: Server,
    Legacy Posted By Username: vplaza