cancel
Showing results for 
Search instead for 
Did you mean: 

POA table - Security Issue (CRM 4, CRM 2011)

Author Name: Davide Zaccagnini

Imagine this scenario:
User X in the TOP BU
User Y in the TOP BU
User X and User Y are Sys Admin, so they can see everything
User X creates an Account, called A1
User X creates a Contact called C1 under A1
User Y creates an Account, called A2

At this point, neither A1 nor A2 nor C1 are in the POA table.

User X set A2 as parent account of A1.
As a consequence of that, A1 and C1 appear now in the POA table linked to User Y.
I understand why this happens, so no problem.

Here is the mystery:

User X REMOVES A2 as the parent of A1.
As a consequence of that, A1 and C1 are NOT deleted from the POA table. Only thing that changes is the InheritedAccessRightsMask that gets set to 0 for both records.

You may say now: "Ok, why are you complaining that these 2 records are not removed??"
Answer is: "This is a huge problem considering how the p_GrantInheritedAccess is done"

Imagine that there is an Entity called "Summary" which is child entity of the Contact.
If User X creates a new Summary under C1 you will notice that in the POA table, Summary will be linked to User Y (with a valid InheritedAccessRightsMask ) even if this HAS NO SENSE AT ALL.
This is increasing the size of the POA table but it is also introducing a security bug in the system.

Status: Under Review
Comments
Regular Visitor
Status changed to: Under Review
 
Regular Visitor
Thanks for reporting this. The entries with (InheritedAccessRightsmask = 0) should be removed by a recurring system job . Further , we will investigate if there is a leak in permissions for child entities