security issue with service_author role?

Andres19
Tera Expert

Hi 

 

I'm doing some research regarding the roles related to DPM and Service-CRUD functionalities. I have the following behaviour which makes me a bit confuse:

What I have:

  • A sys_user related to a Company with role service_author, sn_dpm.dpm_manager, snc_internal. 
  • The related Company is a selfmade company which is marked as vendor. 
  • The Demo-Data Services of the PDI.

Behaviour on my ootb PDI:

  • Impersonate as the sys_user mentioned above.
  • Select a Business Service (ServiceNow PDI Demo Service) in the backend. --> Editing is not possible. --> ok
  • Open DPM
  • Select the Enterprise Portfolio where the Service is related to
  • Drill-Down into the Service
  • select "Edit in service Builder" via the three dots in the right upper corner
  • The service Builder opens and I'm able to edit it. 
  • Do not change nor save something
  • Change back into the backend --> now I'm able to change the details of the service. --> could be a security issue for my purpose because the role description says that service_author can only change their owned services.

Am I wrong in my assumption or is that a correct behaviour because I gave sn_dpm.dpm_manager to the sys_user too?

Many thanks and regards, Andres

Expected behaviour: 

1 ACCEPTED SOLUTION

Andres19
Tera Expert

I just did a bit more research and have seen, that when changing the service over DPM->ServiceDetails->"Edit in Service Builder" a new Service "Copy" is created in cmdb_ci_service_business. 

View solution in original post

1 REPLY 1

Andres19
Tera Expert

I just did a bit more research and have seen, that when changing the service over DPM->ServiceDetails->"Edit in Service Builder" a new Service "Copy" is created in cmdb_ci_service_business.