- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2024 12:20 AM
I am using the ServiceNow dev instance `devXXXXXX.service-now.com`. While investigating access controls, I observed a potential data leak or unexpected behavior.
When logged in as an Admin user, I can search and view all available catalogs. However, when logged in with the "ML Report Role" or "Business Stakeholder Role," I cannot navigate to the Service Catalog items through the UI.
Interestingly, when I copy and paste a Service Catalog item URL directly (from an Admin user session) into the browser of a user with either the "ML Report Role" or "Business Stakeholder Role," I can view the content, even though the items are not accessible through navigation.
My questions are:
1. Is this expected behavior?
- If so, why is the navigation not available to users with the "ML Report Role" or "Business Stakeholder Role"?
2. If it’s not expected, does this behavior indicate a security vulnerability?
Thank you for your help and prompt response!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2024 11:05 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2024 11:05 PM