Security risk in Selfservice portal?

We have a normal user with only domain user access rights. These users can manage their own AD groups, e.g. they are primary managers of an AD group.

While logged in via the selfservice portal as a normal user, we click on the "Groups I manage" within the portal and it show my groups.

Looking at the web browser URL, I can change my name, e.g. bob+jones to  beth+hope, and hit enter. It then shows me the other users groups they manage and I can at that point add or remove people from those groups.

Example URL: server/.../CustomCommands.aspx

I should not have the ability to change any group that I don't manage.

Within Active Roles console when logged in as admin, I'm able to see the history for that group and it shows me that my normal account made changes to the group I shouldn't have access to.

Is this something others can do or is it my console/web configuration?

Is there away to run a report to show all groups that have been changed by users that don't have primary or secondary management?

  • Seems like the delegated permissions are not setup correctly for groups.

    Ideally, if you look at the OU(s) containing your groups, your Owners and Secondary owners should have delegated permissions something like this:

    The "Self - Group Management" access template is one of the pre-defined ones available under Configuration | Access Templates | User Self-Management and grants the right for the respective AR-specific security principals to manage their own groups.

  • Hi JQ.

    Within AR I can see what you are saying. We don't have the Self-Group Management access template showing, only Groups - Read all Properties.

    Whenever a manager of a group is added to the managedby or secondaryowners attribute, the user at that point are provided the Groups - Read/Write Group Members.

    I've gone through all levels of the OU's and can't find anything that would allow any user to be able to just manage any group.

  • Would you be able to share a screen cap of the delegated permissions (Trustees and Access Templates) of a typical group-containing OU?  If possible, include the part that shows where in AD the template was originally applied.  Hint:  Right click the lower right pane in the MMC and ensure that "Show inherited" is enabled.

