ACL for approval action

snschuler · ‎10-30-2018

I am trying to figure out how to limit Approvers actions. I would like to limit ITIL users from deleting other approvers in a request and adding themselves.

For example, I got this from one of my devs after we did a brief security audit:

"I wasn’t (easily) able to approve on your behalf, but I’m sure I could’ve figured out a way eventually.

Instead I did two other things that required zero effort… first, I deleted your approval request entirely, negating your required input, and second, I added myself as an approver and then approved it. If this were an automated workflow it would blindly go on to the next step. Yes, doing it this way I’m leaving fingerprints, but I can clean that up a bit after the fact (and the damage would presumably already be done).

In theory if I were to delete any listed approver as well then it would flag as fully approved and move forward to the next step. Who really checks the actual list of approvers? (And if we adopt orchestrated pushes directly to Oracle, game over…)"

This would rarely happen, but the fact that it can is worrisome. How can we limit the approvers so that they can not do this?

Nitesh Balusu · ‎10-30-2018

Yep, add admin role to it in requires role, you can probably have another called approval_admin or something and assign it to people who are authorized to delete approvals.

View solution in original post

Nitesh Balusu · ‎10-30-2018

You always have to elevate to security admin for modifying ACL's. Are you unable to elevate from here?

snschuler · ‎10-30-2018

Yes! Got it. Thank you.

Nitesh Balusu · ‎10-30-2018

Could you please close the thread by marking the answer as correct?

Nitesh Balusu · ‎10-30-2018

Could you please close the thread by marking the answer as correct?

brendanwilson84 · ‎10-30-2018

Yep, on the that table