Notifications

327 views

Symptoms


A user opens a Group [sys_user_group] record.  It appears read-only and/or the user is unable to edit the Group Members.  When saving the Group Members, depending on the user's role(s) you may see the following message:

"Security users can only modify own security groups, changes not saved."

Debugging Security (ACL's) may indicate the user is failing access due to "IAccessHandler"

Release


Kingston, Jakarta

Environment


Plugin [Security Incident Response - com.snc.security_incident]

Cause


Users without [sn_si.admin] role may encounter these symptoms if one of the Roles contained by the Group is a Security Incident Role.  Check the Roles related list for 'sn_si.' roles.

 

Users with [sn_si.admin] role may encounter these symptoms if the group does not have a valid Security group type [sys_user_group.type].  This is because sn_si.admin users - although are granted the 'user_admin' role - are prevented from updating non-security groups.

Resolution


You may resolve this by reconfiguring your groups, roles, or customizing the controlling Script Include.  By ensuring the 'sn_si.admin' user also inherits the 'user_admin' role from a secondary group will bypass the script's check.  The Script Include is "SecurityIncidentUtils" and is part of the Security Incident scoped application.  Lines 954 - 983 contain the methods 'shouldAbortNonSecurityGroupMemberUpdate' and '_isSecurityGroupType.'

Additional Information


The IAccessHandler permissions are not able to be bypassed with ACL's, so creating additional ACL's will not help in this case.

Article Information

Last Updated:2018-08-03 00:25:36
Published:2018-07-24