Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
1
Replies

Delete button displayed for user with ROLE_OBSERVER role

Nathan Sowatskey
Cisco Employee
Cisco Employee

‎07-18-2016 06:57 AM - edited ‎03-01-2019 04:29 AM

Hi

The first attached image shows the Device Inventory dashboard UI for a user, "observer", with the ROLE_OBSERVER role.

Note that the "Set ..." and "Delete" buttons are displayed. These are all write actions that should not be possible for a user with a role of ROLE_OBSERVER. The second image attached shows the outcome of attempting to actually Delete, which displays an error message.

It is contrary to established security and UI design practices to display options in a UI for a user who does not have the permissions to use those options. It is incorrect to display such options, allow the user to attempt to use them, and then display an error message.

At the very least, the options should be greyed out indicating that they are not actually available.

It is insecure to reveal to a user any more information about the UI, and so the capabilities of the system, than their assigned role gives them permission to access.

delete_button_observer.tiffinvalid_role_delete_device.tiff

Regards

Nathan

Labels:
0 Helpful
1 Reply 1

yawming
Cisco Employee
Cisco Employee

‎07-21-2016 09:29 AM

Thanks Nathan,

I have forwarded to the dev team.

0 Helpful
Customers Also Viewed These Support Documents