No Realm wise data access Protection !!!

This topic has 8 replies, 3 voices, and was last updated 5 years, 5 months ago by Firos.

  • Author
    Posts
  • #11823
     Firos
    Participant

    I have 2 realms under root and same level,
    Realm-1: User-1
    Realm-2: User-2

    Authenticated as User-1 using Authentication API and i got access token.
    Using Realm-1 user’s(User-1) access token i can perform, list users, list groups or any other operations in Realm-2. We can’t allow that.

    No data isolation? or any settings to do?

    #12279
     Firos
    Participant

    How to secure data realm wise? is it a bug? or any config issue?

    #12333
     Firos
    Participant

    Isn’t OpenAM provides Realm wise data isolation and security?

    #12349
     Firos
    Participant

    One realm can read data of other realms, why…..?

    #12360
     Rogerio Rondini
    Participant

    Should not, I believe.

    Check Privileges for “All authenticated users” in the tab Privileges for each sub-realm.

    #12361
     Firos
    Participant

    Tested with No Privileges and some Privileges as checked.

    Also in all environments

    • This reply was modified 5 years, 5 months ago by Firos.
    • This reply was modified 5 years, 5 months ago by Firos.
    #12436
     Firos
    Participant

    One user cannot access details of another user in same or another realm(at that time API response is no permission). But one user can list all users/groups in the same or another realm.

    #12584
     Peter Major
    Moderator
    #12613
     Firos
    Participant

    Oh great, i think next version will resolve the issue, otherwise it will be a security issue.
    Thanks Peter, i was not sure is the issue with my configurations or not.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?