Check impersonation on ACL evaluation in HR App [New in Security Center 1.3 and updated in 1.5]
Use the sn_hr_core.impersonateCheck property to prevent a user from impersonating another user and accessing their HR information.
A secure setting prevents an admin from seeing another user's HR information while using impersonation. An insecure setting for this property allows an admin to impersonate a user and access HR data such as survey results or audit records with the impersonated user's access. Due to the nature of this type of data, such as information which should be available only to the user themselves like email, this is not recommended. Setting sn_hr_core.impersonateCheck to true only allows access to HR information when the user is not impersonating any others.
More information
| Attribute | Description |
|---|---|
| Configuration name | sn_hr_core.impersonateCheck |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | Boolean |
| Recommended value | true |
| Default value | false |
| Category | Architecture, design, and threat modeling |
| Security risk |
|
| Dependencies and prerequisites | None |
| Functional impact | When this property set to true, it prevents an admin from seeing another user's HR information while using impersonation. When set to false, it allows an admin to impersonate a user and access HR data such as survey results or audit records with the impersonated user's access. Due to the nature of this type of data, such as information which should available only to the user themselves like an email, this is not recommended. Setting sn_hr_core.impersonateCheck to true only allows access to HR information when the user is not impersonating any others. |