Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84590members
353857posts

PSA: Users no longer require read access to their own database object to work

EcoStruxure Geo SCADA Expert Forum

Find out how SCADA systems and networks, like EcoStruxure Geo SCADA Expert, help industrial organizations maintaining efficiency, processing data for smarter decision making with IoT, RTU and PLC devices.

Solved
AdamWoodland
Commander Commander
Commander
0 Likes
2
1612

PSA: Users no longer require read access to their own database object to work

Hi Everyone,

 

I do ClearSCADA database reviews for end users and one of the most common issue found on databases that have been around for a while are ACLs on users allowing non-administrative users access.

 

Up until CS2015R2 (I think, that era anyway, someone from the product team might be able to confirm exactly) users needed read access to their own database object for their settings to be correctly loaded at logon. Ideally you would spend effort and only give that user access to their object (along with user administrators) but in reality what happened was whole user groups were given read access to all user objects. In some extreme cases Everyone is given read allowing anyone to dump the entire user list and their config using some simple SQL (no passwords) and in one case I found Guest even had configure... that was fixed pretty quickly.

 

In recently released builds the user has implied access to their own database object so only those who administer users now need any ACLs on user accounts. An exception would be if there was some metadata stored against the user that might be used in mimic scripting or something, but those solutions are pretty rare.

 

An SQL query that might be useful is:

 

SELECT
ID, FULLNAME, ACLASTEXT AS "Local", PARENTGROUPID->ACLASTEXT AS "Parent"
FROM
CDBOBJECT
WHERE
ID <> 0 AND "Local" <> "Parent"
ORDER BY
"FullName" ASC

 

They query simply lists all objects where their ACLs do not exactly match their parent object. Should show you any custom security you have in place so you can audit it. It will highlight where the order in the items in the ACLs are different but the effective actual permissions are the same (i.e. not inherited, someone removed and then added someone with the exact same permissions), but those should be pretty rare and in those cases probably needs to be set back to inherited anyway.

 


Accepted Solutions
BevanWeiss
Spock
Spock
1
1608

Re: PSA: Users not longer require read access to their own database object to work

In addition there has been a new property added (to CDBObject) ACLInherited which tells you whether the security permissions have been inherited.

 

So my slight tweak on the query that Mr @AdamWoodland had.

 

SELECT
ID, FULLNAME, ACLInherited, ACLASTEXT AS "Local", PARENTGROUPID->ACLASTEXT AS "Parent"
FROM
CDBOBJECT
WHERE
ID <> 0 AND ("Local" <> "Parent" OR ACLInherited<>TRUE)
ORDER BY
"FullName" ASC


Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..

See Answer In Context

2 Replies 2
BevanWeiss
Spock
Spock
1
1609

Re: PSA: Users not longer require read access to their own database object to work

In addition there has been a new property added (to CDBObject) ACLInherited which tells you whether the security permissions have been inherited.

 

So my slight tweak on the query that Mr @AdamWoodland had.

 

SELECT
ID, FULLNAME, ACLInherited, ACLASTEXT AS "Local", PARENTGROUPID->ACLASTEXT AS "Parent"
FROM
CDBOBJECT
WHERE
ID <> 0 AND ("Local" <> "Parent" OR ACLInherited<>TRUE)
ORDER BY
"FullName" ASC


Lead Control Systems Engineer for Alliance Automation (VIC).
All opinions are my own and do not represent the opinions or policies of my employer, or of my cat..
AdamWoodland
Commander Commander
Commander
0 Likes
0
1598

Re: PSA: Users not longer require read access to their own database object to work

Hmm, great idea!