IV96845: Ability to bypass security and use unauthorized functions


Testers found that they had the ability to add reports to the My Reports page in TRIRGA, even though the links for New, Copy, Delete, Copy as Community Report, and Share Report were not present for the read-only users.

Moving forward, an privilege escalation issue in Report Manager has been resolved.

[Admin: To see other related posts, use the Vulnerability tag or CVE tag.]

Continue reading

How are you running your QA organization to support TRIRIGA?


I want to understand how people are running their QA organization to support TRIRIGA implementations. What kind of automation is being used? What challenges are being faced? I’m trying to start up a discussion around QA testing for TRIRIGA.

[Admin: To see other related posts, use the QA tag or Testing tag.]

Continue reading

Is there a way for the “Component ID” to stay permanent in TRIRIGA?


In TRIRIGA, the Component ID for a field changed after upgrading. For example, in TRIRIGA 3.5/10.5, the Component ID for the “User ID” text box on the login page was: textbox(“User Name”). But in 3.5.2/10.5.2, it changed to: textbox(“User ID”). This is impacting our automation test. Each time we upgrade to a new version, we need to check and change our automation test script. Is it possible to keep these Component ID values fixed?

[Admin: To see other related posts, use the QA tag or Testing tag.]

Continue reading

Are file attachments in Outlook also attached in SMTP messages?


In the context of TRIRIGA Reservation Management (Reserve), if a user attaches a file in a meeting invitation (in Outlook) while booking a room, is that file going to be attached in the SMTP message that is sent to TRIRIGA? Has anyone tested this or have the ability to test this?

The concern is around confidentiality. If someone attaches a company confidential document and the message is sent over SMTP (non-secure) to IBM Cloud (TRIRIGA SaaS) with the attachment, the document was now exposed to the public internet.

In your scenario, the Send connector configured in Exchange is responsible for sending the message to TRIRIGA. I believe that, by default, the Send connector will also send attachments. There may be some configuration on the Exchange side that prevents or limits a particular Send connector from forwarding attachments.

[Admin: This post is related to the 05.23.17 post about setting up the Reserve SMTP Agent for Secure SMTP (SMTPS). To see other related posts, use the SMTP tag or Attachment tag.]

Continue reading

Is there a way to (OM) migrate integration object records?


Is it possible to (OM) migrate integration object records? I’ve created two integration objects in my Dev environment. But I’m not sure which BO to use to (OM) migrate my two records to my Test environment.

[Admin: To see other related posts, use the Integration Object tag.]

Continue reading

What are the minimum database permissions required by TRIRIGA?


I found this technote on the minimum required database permissions for TRIRIGA:

Following are the minimum permissions.
Anything else is untested and unsupported.

ALTER USER $dbuser$ QUOTA UNLIMITED ON $data_tblspace$;
ALTER USER $dbuser$ QUOTA UNLIMITED ON $index_tblspace$;

GRANT ANALYZE ANY TO $dbuser$;
GRANT CREATE VIEW TO $dbuser$;
GRANT CREATE TABLE TO $dbuser$;
GRANT ALTER SESSION TO $dbuser$;
GRANT CREATE SESSION TO $dbuser$;
GRANT CREATE SYNONYM TO $dbuser$;
GRANT CREATE TRIGGER TO $dbuser$;
GRANT CREATE SEQUENCE TO $dbuser$;
GRANT CREATE PROCEDURE TO $dbuser$;
GRANT DROP PUBLIC SYNONYM TO $dbuser$;
GRANT CREATE PUBLIC SYNONYM TO $dbuser$;
GRANT CONNECT TO $dbuser$;

ALTER USER $dbuser$ DEFAULT ROLE CONNECT;

But the following permissions are restricted for our customer:

ANALYZE ANY
ALTER SESSION
DROP PUBLIC SYNONYM
CREATE PUBLIC SYNONYM

Can you tell me if these permissions are only needed for installation? Or are they also required for runtime?

The IBM TRIRIGA product team does not test nor validate lower permissions than what is documented. All permissions granted to the user are required for the support of TRIRIGA, and removing permissions can lead to unexpected behavior, performance problems, and possibly data corruption.

Continue reading

Why doesn’t the triCurrencyUO field update on payment line item?


We added a new currency and it is not working in production. However, when we copied the production database to a test environment, it does work.

A new currency was created “Serbian Dinar”. It was added to the UOM Values object and to the “Currency” list. The new currency was added to the real estate lease and the payment schedule with no issues. However, when payment schedules are generated and the payment line items are created, the triCurrencyUO field on the payment line item is blank and not updated from the payment schedule.

Clearing the TRIRIGA cache did not resolve this issue. The issue was resolved by restarting the application server.

Continue reading