User can access SP forms without logging into instance

Andrew Dunn
Giga Contributor

‎08-29-2022 11:10 PM

Hi all,

I have had the following situation.

We utilise contact records for some users so that the service desk can log tickets on their behalf. However they should not have access to the portal or Service Catalog (these are minimal and should go through the relevant Service Desk)

However I have had a user log a Service Catalog request (ticket shows that the form was used) where their account was:

  • Active
  • No LDAP integration
  • Password had been randomised (and not shared)
  • Password needs reset = TRUE

Can anyone advise how the user could access the form or how I can stop similar situations occurring

Thanks

 

 

0 Helpfuls
  • 982 Views
4 REPLIES 4

Vasantharajan N
Giga Sage
Giga Sage

‎08-29-2022 11:55 PM

I don't think this is possible. Some One who have access to the system could have raised request using "Requested for" option in catalogue item checkout process if the catalogue item is marked for delegated access. 

Please check whether created_by user is same as Requested for if yes then we need to dig more on this issue. 


Thanks & Regards,
Vasanth

Andrew Dunn
Giga Contributor
In response to Vasantharajan N

‎08-30-2022 12:10 AM

Hi Vasantharajan

The requested for and created by person are different. It is the created by person that meets the above criteria and should not have been able to access.

Understand that the requested for can be anyone in the system (that is how we have it set up) and why the requested for is not a concern.

Cheers

0 Helpfuls

Tom Sienkiewicz
Mega Sage

‎08-30-2022 12:16 AM

Hi, can you confirm what roles that user had? snc_internal or snc_external?

What you can check is the settings on the pages/widgets for your portal. Perhaps those are misconfigured and allow public access. Check the "roles" and "public" fields on the portal page records in question to see who can view the given page. Same goes for widgets. If you're using the "Service Portal User Criteria Support" plugin, make sure to review those too.

Generally what you're describing should not be possible unless those pages/widgets are set for public access. Perhaps best to try and ask the person concerned, how they accessed the page. As "bad" as it may sound, this can often provide most useful info.

Andrew Dunn
Giga Contributor
In response to Tom Sienkiewicz

‎09-15-2022 11:21 PM

Hi Tomasz - the user had no roles assigned so in theory as they have been created in the instance I assume the default snc_internal role is applied.

The roles on the service catalog page are snc_external, snc_internal.

When I spoke to the person they advised that they had been provided a link to the form and as per the above roles I assume that allowed them access.

What I have done and I am currently monitoring is for each user that should be able to have tickets logged against their name but not access the forms is randomise their password (not SSO linked) and set the following

find_real_file.png

Cheers

Preview file
5 KB
0 Helpfuls