Skip navigation

TSCO RBAC should be enforced on TSPS Investigate saved studies

score 75
You have not voted. Product Team Review

Right now, any user with access to Investigate on TSPS can see any saved study. This happens on v11 and v11.3.01

 

Even if the user does not have access to the servers on the workspace, even if the user has NO server configured, can see and edit some settings on the Saved studies.

 

No matter how sensitive is the server information. It will be open to any user with access to Investigate.

 

Access groups do not apply to the saved studies.

 

We think that RBAC should be implemented also for the saved studies, allowing only to see the information for the servers with allowed access.

And do not display the ones which are not on the access groups of the user.

 

Another way to implementing it is to consider the saved studies as views, and only allow the Saved Study to be seen by those with access to it.

That probably simplifies the use case, and it is probably something that can be implemented inside TSPS (to consider Investigate Saved studies as views)

 

Cheers

Comments

Vote history