ACL for approval action

Go to solution
snschuler
Kilo Contributor

‎10-30-2018 08:00 AM

I am trying to figure out how to limit Approvers actions.  I would like to limit ITIL users from deleting other approvers in a request and adding themselves.  

For example, I got this from one of my devs after we did a brief security audit:

"I wasn’t (easily) able to approve on your behalf, but I’m sure I could’ve figured out a way eventually. 

Instead I did two other things that required zero effort… first, I deleted your approval request entirely, negating your required input, and second, I added myself as an approver and then approved it.  If this were an automated workflow it would blindly go on to the next step.  Yes, doing it this way I’m leaving fingerprints, but I can clean that up a bit after the fact (and the damage would presumably already be done). 

 In theory if I were to delete any listed approver as well then it would flag as fully approved and move forward to the next step.  Who really checks the actual list of approvers?  (And if we adopt orchestrated pushes directly to Oracle, game over…)"

This would rarely happen, but the fact that it can is worrisome.  How can we limit the approvers so that they can not do this?     

Labels:
0 Helpfuls
  • 2,141 Views
1 ACCEPTED SOLUTION

Go to solution
Nitesh Balusu
Giga Guru
In response to snschuler

‎10-30-2018 09:31 AM

Yep, add admin role to it in requires role, you can probably have another called approval_admin or something and assign it to people who are authorized to delete approvals.

 

find_real_file.png

View solution in original post

Preview file
53 KB
0 Helpfuls
10 REPLIES 10

Go to solution
brendanwilson84
Kilo Guru

‎10-30-2018 08:15 AM

In the delete acl for sys_approval, removed ITIL and just have admins

0 Helpfuls

Go to solution
snschuler
Kilo Contributor
In response to brendanwilson84

‎10-30-2018 08:32 AM

You are referring to the sysapproval_approver ACL?

0 Helpfuls

Go to solution
Nitesh Balusu
Giga Guru
In response to snschuler

‎10-30-2018 09:31 AM

Yep, add admin role to it in requires role, you can probably have another called approval_admin or something and assign it to people who are authorized to delete approvals.

 

find_real_file.png

Preview file
53 KB
0 Helpfuls

Go to solution
snschuler
Kilo Contributor
In response to Nitesh Balusu

‎10-30-2018 10:53 AM

Thanks for the reply.  This is exactly what I was looking for and currently I have three roles under this ACL.  However, I also do not have the ability to modify.  Myself and my colleague neither have the ability to modify and we are both the admins for our instance.  Do we need an elevated security level?  If so, I am assuming this is something I have to call support for. 

Thanks to everyone who responds.  The information you are providing me with will help if I do need to call support. 

0 Helpfuls