Out of the box, ACLs for CSM are configured in a way that external users with minimal roles like (sn_esm_user or sn_customerservice.customer) can still access many of the backend UI pages.
Here is an example of an ACL allowing users with the sn_esm_user role to access the ast_contract_list UI page which is part of the backend UI
I understand that externals might want to have access to the table in general, but why give them access to the (backend) UI page? In my opinion the external users should never access any backend UI and should only interact with the provided portals (csm/csp).
When impersonating an external user in the OOB configuration I can therefore still see parts of the Backend UI.
Do you see any issue in restricting those UI page ACLs by removing the sn_esm_user / sn_customerservice.customer roles?
I have generated a list of UI pages I would adjust the ACLs (leaving out obviously needed pages used for password reset, authentication etc.)
UI Page ACL |
sys_user |
customer_account_list |
sys_user_group |
ast_contract_list |
ast_contract |
service_entitlement |
customer_contact |
alm_asset_list |
alm_asset |
sn_customerservice_case |
sn_customerservice_case_list |
cmdb_service_product_model |
sn_publications_publications |
cmn_location |
list_row_view_empty |
sn_publications_view_publication |
sn_publications_publication_list |
sn_publications_publication |
sysapproval_approver |
sysapproval_approver_list |
notification_preferences |
cmdb_application_product_model |
cmdb_contract_product_model |
cmdb_facility_product_model |
alm_facility |
cmdb_software_product_model |
cmdb_software_product_model |
alm_license |
cmdb_consumable_product_model |
alm_consumable |
cmdb_hardware_product_model |
cmdb_model_category |
alm_hardware |
cmdb_model_list |
cmdb_model |
external_servicecatalog_cat_item_view |
customer_contact_list |
I would assume this is a typical requirement that external users should all costs never see the backend UI, so I am looking forward to your experiences.
Thank you!
Greetings,
Sören
