Block access for delegated developers
This configuration affects access for delegated developers that are updating user roles through script. When the configuration is compliant, the developer will not be able to update or insert records into the sys_user_has_role table without also having the user_admin role.
This property determines whether a delegated developer can give assign roles to users through scripts. If com.glide.sys.security.delegateddev.block_grant_roles is not set to the recommended value of true, then a delegated developer could assign roles to any user. This could lead to unapproved privilege escalation.
Ensure that the property com.glide.sys.security.delegateddev.block_grant_roles is set to true.
More information
| Attribute | Description |
|---|---|
| Configuration name | com.glide.sys.security.delegateddev.block_grant_roles |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | Boolean |
| Recommended value | true |
| Default value | <none> |
| Fallback value | true |
| Category | Access control |
| Security risk |
|
| Functional impact | When a user with the delegated_developer role is attempting to modify a record in the User Roles [sys_user_has_role] table, this property enables additional security checks against the operation. The additional security checks validate that the user has been granted the user_admin role if they're trying to create or update the User Roles [sys_user_has_role] table. If they do not have the user_admin role, the access will be denied. When the property is false, these additional checks are not validated. |
| Dependencies and prerequisites | None |