How to change permissions for /Dashboard/GetDashboardQueryData?

Dorus_RolvinkDorus_Rolvink Partner IT Monkey ✭
I've implemented a calendar that uses an API to run queries:
/Dashboard/GetDashboardQueryData?query=

And I found that even end users can type in queries and get it to run. I've only tried SELECT queries, but still it bugs me that people can just dig around in the database on their own. Not only that, a SELECT statement to an entirely different database works too.

I'm not really up to speed with all the permissions, can someone explain to me how you can make them more restrictive?

Best Answer

Answers

  • Dorus_RolvinkDorus_Rolvink Partner IT Monkey ✭
    edited January 18
    That makes a lot of sense actually. I thought maybe Cireson used an application account to do everything and have the user permissions managed internally.
    I'm working in a dev setup, and have two end users that have no rights except for being in the end-users group in Service Manager. They can still do any SELECT.
    I thought maybe the windows auth used the login of windows, so I logged in with a different account with no rights in SM, and still, any SELECT will do. But I saw DROP TABLE doesn't work at all, so that's good. It seems like it is a read-all type of permission, not a do-all.

    Could you point me to where I might find a catch-all read-all in SCSM/MSSQL?
    If you think a screen share would be easier then I'd appreciate that as well of course!




Sign In or Register to comment.