This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DEVELOPERS FORUM - How to prevent untrusted clients from accessing Aras Innovator?

オフライン Archive User 9 年以上前

fli - Wednesday, January 21, 2015 4:23 AM:

Any enabled Innovator user, can write an application using the IOM.dll and then export all Items for which he has "get" access, and nobody will notice.

This is a threat to the system performance, uptime and most of all a data security risk.

To prevent this, perhaps Aras needs to create a way to only let "trusted applications" log in to Aras.

A mechanism so external programs must be registered and authorized

- Christoffer

DavidSpackman - Friday, February 6, 2015 8:38 AM:

I agree this is a risk,

It is also possible for users to use the export tool to access your datamodels and packages.

Dave

kentonv - Friday, February 20, 2015 5:10 PM:

This is true, but only for data & items which they have access to through the permission model and client. It would be more time consuming, but the user could also search for those items, and copy/paste the data into another format with the same results. It would also be possible to query the information through the Aras client, and capture the responses through a tool like 'Fiddler', then parse those to get the same results. I think this would be possible using most PLM solutions/clients.

I am not sure there is a security risk if a user already has access to the data through the client, just not as fast a way to take advantage of it.

kentonv - Friday, February 20, 2015 5:12 PM:

David:

The import/export tool requires access to the 'Package Definition' itemtype. If you are worried about that access, you could change the permissions for that itemtype, and the export tools would be unusable for this purpose.

DavidSpackman - Friday, May 1, 2015 1:33 AM:

Thanks Kenton. Good tip.