Home Self-Service Portal - Community

Reviewer Privilage Issue

I faced a sec issue with the reviewers in Cireson Portal. Let's say X is a reviewer like Y, and their AD group is set to Approve/Reject privileges in Cireson Portal Admin Settings.

When reviewer X submits a SR which has Y as a reviewer, X can open the submitted request and approve/reject the activity even though he is not the approver of that activity.

Have you encounter this issue before?

Best Answer

Answers

  • seth_coussensseth_coussens Member Ninja IT Monkey ✭✭✭✭
    This would not be an issue as much as by design.

    If you put a user in the AD group that you are then assigning in the portal admin settings as being able to approve, then you are overriding the SCSM built in permissions for this.

    Really you should only use those groups for users that you want to have manager approval level permissions. A end user that is a reviewer already has the permissions to approve their own review activities. You should remove the group in this case and user the default SCSM permissions if you want to do what you are describing above.
  • Tom_HendricksTom_Hendricks Customer Super IT Monkey ✭✭✭✭✭
    In full agreement with @seth_coussens, I just wanted to share that we encounter this sometimes.  I can approve change requests, and I sometimes need to submit them.  It is not appropriate for me to approve my own changes, but I belong to the AD group that the reviewers belong to.  Fortunately, I can ask another reviewer to approve or reject it since there is more than one of us.

    In cases like this, you definitely have to rely on process to keep things on the up and up.  You could also generate a report of CR's that were approved by the same person who requested it (work items related to review activity/ies that where the user object that voted is the same user as the work item creator), as a detective control.  Seth already covered prevention.
  • Ozge_OzkayaOzge_Ozkaya Member IT Monkey ✭
    Dear @seth_coussens it is clear now. I managed to handle the Reviewers access. But now i have problems with Analysts who are actually responsible for completing the Manual Activities. From SCSM Console i created a new user role for them out of Advance Operators. Making this created a sec issue because they can now approve/reject any review activity on the SR that they submitted.
Sign In or Register to comment.