Do you have feedback on our new interface?
Do you have feedback on our new interface? Let us know HERE

Add Flows as Option in System Account Permissioning

Add Flows as Option in System Account Permissioning

Brief Description

In the permissioning of System accounts additionally to the option of permission Run Users there must be an option to assign Flows or Flow Hierachies (will be explained) for Read the Account

Benefits / Value

System accounts are usually stored in OO that a Flow can access the system/api behind this System account.

usually it is irrelevant who is starting the Flow if he should be allowed to Read the system account or not.

as the Usecase/Flow has been permissioned to the User for View/Run. the issue is that a System account is maybe a highly priveledged account.  In the current solution a user that Runs a Flow must also be able to Read the system accounts that are used in Subflows.

what we want to achieve is that access to Systemaccounts is limited to a Set of Flows that can read the account details.

This can be either directly the calling Flow/ operations. another Flow in the Call Hierachie (Flow 1 -> calls -> Flow 2 -> calls -> Flow 3 -> accesses -> system account. when Flow 2 is on the permission list access will be granted) or the Top Flow (Flow 1 -> calls -> Flow 2 -> calls -> Flow 3 -> accesses -> system account. when Flow 1 is on the permission list access will be granted)

Example: add System To device Group in SA. this requires a High priveledeged user in SA. The People that run this Flow in OO might be not entiteld in SA to do anything. they only should run the Flow in OO and the Flow is ensuring that the user is not doing anything unintended

But as now the Enduser has View Rights on the System account he can also use this in any other Flow that is doing different Things in SA or even read out the PW.

currently OO does not provide sufficent protection mechanisms for "shared" system accounts.

Access to Systemaccounts must be controlled by the Usecase that needs the account and not only by the running/starting Enduser


Design details

    Add Flows to the list of permissions and in the authorization process evaluate the flow call Hierachie.

1 Comment
Micro Focus Expert
Micro Focus Expert
Status changed to: Waiting for Votes
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.