Why can’t a non-Admin user see reservable spaces in organization?

We have some reservable spaces with system geography and system organization settings. A non-Admin user also has the same geography settings. There are security groups for reservations, and organizations and geography security groups are assigned to him. The geo and org security groups have the same geo and org as the space and profile. But the non-Admin user still isn’t able to see spaces.

He is only able to see them when the first level of the org hierarchy is provided in the group (i.e. \Organization). But as soon as the second level is given in the group, he isn’t able to see them. Can anyone help me on this? I think there is some issue in the org, but I don’t know exactly where it is.

[Admin: To see other related posts, use the Geography tag or Organizations tag.]

Continue reading →

Verdantix: Solution providers step up IT security in smart buildings

One of the biggest barriers to growth in remotely accessing building management systems (BMS) – one of the key features of a smart building – is IT security.

The IT industry has established a sophisticated process for monitoring and protecting IT networks, but these concepts are not as well developed in building systems and many of the equipment that make up the Internet of Things (IoT). Additionally, there is often lack of communication and collaboration between the IT department and the facilities department. There is also increasing pressure on service providers to provide an out-of-the-box security solution.

Smart buildings are particularly vulnerable as every added connected device is another potential door into the building’s wider network. Even one of the most high-tech companies in the world, Google, was hit by a cyberattack in 2013 through a building management system. Retailer, Target was hacked through the HVAC system in 2014. This year, we have seen severe ransomware cyberattacks, such as the WannaCry ransomware attack that affected computers in over 150 countries.

This type of attack now feels very regular with a similar one occurring as we write. Individual buildings such as hotels have also been targeted and hacked through building automation systems (BAS) – witness the attack on a luxury hotel in the Austrian Alps in February, where the card system got breached, shut down, and a ransom demanded to restore the system to enable guests back into their rooms…

To learn more about the market for remote monitoring solutions see our recent report – Now Is The Time To Implement Remote Monitoring Solutions.

[Admin: To see other related posts, use the Smart Buildings tag or Vulnerability tag.]

Continue reading →

Why can’t “Create” state transition be triggered through OSLC?

I have an issue where it is not possible for non-Admin users to trigger the Create state transition through our OSLC interface. Instead, we get the following error:

2017-06-27 13:08:10.301 UTC ERROR [com.tririga.platform.integration.oslc.OslcRequestDispatcherImpl](Default Executor-thread-34280) Failed to read message: null
2017-06-27 13:08:10.301 UTC ERROR [com.tririga.platform.integration.oslc.OslcRequestDispatcherImpl](Default Executor-thread-34280) Exception in OSLC call: com.tririga.platform.integration.oslc.OslcException. message=java.lang.ClassCastException: com.tririga.platform.metadata.domain.BoStateTransitionId incompatible with com.tririga.platform.metadata.domain.gui.GuiStateTransitionMetadata

The fact that I am able to create and associate the record using an Admin user says to me that this is related to permissions, but I’ve made sure that the user has full security access for both the BO/form it is trying to create, the BO/form that it is attaching it to, and all other BOs/forms that are associated to it, and it still gives me the error above.

When I open the created record that my Admin user created, it looks to be correct. But when I open the one that the non-Admin user tried to create, it shows an empty record. None of the fields are saved in a null state, which of course is because it didn’t get created, the Create state transition was not triggered. Any idea of what is causing this issue? And how to resolve it?

[Admin: To see other related posts, use the OSLC tag.]

Continue reading →

Changing functionality in TRIRIGA to fix security vulnerabilities

In this day and age, security is a very hot topic. As soon as one vulnerability is addressed and mitigated, another one is found. It is a vicious circle of identifying and addressing vulnerabilities that does not seem to let up. In our fix pack release notes, information regarding the mitigation of vulnerabilities that were addressed without an APAR is listed. And sometimes, a vulnerability is addressed as an APAR.

The reason I am mentioning security vulnerabilities is that sometimes, when they are resolved, there is an impact on existing functionality, which may not always be clear. Sometimes, the result of fixing vulnerabilities can “change” functionality. As an example, in the TRIRIGA 3.5.2 release, external URL navigation items will now open in a new window to avoid cross-origin scripting vulnerabilities…

As the product develops and security vulnerabilities are found and addressed, it could mean a change in how something works. Reading the release notes can be a source of information, but it may not always be clear why something changed. We all know change is hard, especially when we are so used to it working in a certain way. I don’t know about you, but if the change was made to address a security vulnerability, I can live with that and accept the change.

[Admin: This post is related to the 04.07.17 post about APAR IV94912 where “External URL” navigation items may no longer work. To see other related posts, use the Security tag or Vulnerability tag.]

Continue reading →

IV97185: User session terminated due to missing security token

In TRIRIGA 3.5.2.2, the user’s session was terminated by the server due to a missing security token on the request when interacting with forms and large queries.

We needed to add a TRIRIGA security token to two locations in the reporting engine. Moving forward, we resolved an issue that could cause a user’s session to be terminated if the user interacts with an editable query before the query has finished loading.

[Admin: To see other related posts, use the Tokens tag or Editable tag.]

Continue reading →

IV96845: Ability to bypass security and use unauthorized functions

Testers found that they had the ability to add reports to the My Reports page in TRIRGA, even though the links for New, Copy, Delete, Copy as Community Report, and Share Report were not present for the read-only users.

Moving forward, an privilege escalation issue in Report Manager has been resolved.

[Admin: To see other related posts, use the Vulnerability tag or CVE tag.]

Continue reading →

Why doesn’t the SQL data match the viewed TRIRIGA application data?

Is anyone using the system organization for their security groups? We have noticed a problem to which IBM doesn’t seem to be giving enough any attention, and I’m wondering how many clients have even found this yet.

I posted the following statement in IBM developerWorks hoping to get some attention. We are starting to notice a few areas where the SQL data doesn’t match what is viewed in the application. Here is an example:

• (1) First, you need a query that displays a list of leases and one of the columns is the system org. (Make sure that column has a user filter.)
• (2) Now, note the system org name on one of the records.
• (3) Go to that org record. Edit the org name (for example, add “test” to the end of it), and activate the org record.
• (4) Go back to that query.
• (5) The system org displays the new value on the lease and in the query.
• (6) Enter a user filter for “test” in the system org column. But the query doesn’t recognize the edit…

[Admin: The same question is also posted in the main Application Platform forum. This post is related to the 01.04.17 post about filters failing when using changed classification values. To see other related posts, use the SQL tag or Filter tag.]

Continue reading →