2008/11/11 Anton Gubar'kov
I'm an IT service provider for company Acme. I support Acme's ERP system. My agents are trustworthy.
Hi Anton,
This is the problem; you can not guarantee that your agents are
trustworthy... Anyone with access to the tickets will have access to
these passwords. This is in my opinion NOT a technical issue. You
should eliminate the problem by choosing one of the following:
* Alter the function that resets the password so that it will send the
new password automatically to the user
* Let the service desk agent send the password directly to the
customer from his own account, NOT using OTRS.
In both cases the agent should just put a note in OTRS, something like
'new password sent to user', and close the ticket.
That way people with access to the ticket, either internal or
external, can see what actions have been taken and when (the new
password was send to the user) but there is no security risk because
there are no passwords in clear text in accessible fields in OTRS.
Regards,
--
Michiel Beijen
Software Consultant
+31 6 - 457 42 418
Bee Free IT + http://beefreeit.nl
2008/11/11 Anton Gubar'kov
Colleagues, I'm sorry for putting so much confusion into the case.
I'm an IT service provider for company Acme. I support Acme's ERP system. My agents are trustworthy. Acme has users Ann and Mallory. Ann is a financial controller. Mallory is salesman. Mallory wants to hijack Ann's privilege to release credit blocked orders in Acme's ERP to satisfy his customer with credit block.. Mallory tries to login 5 times using Ann's user id and causes it to lock. Mallory starts to watch Company tickets waiting for Ann to raise a password reset request with me. Ann raises a password reset request. Mallory continues watching waiting for the new password to appear on Ann's ticket. Before Ann has a chance to change her new password, Mallory logs in as Ann and releases the blocked order.
I want to control an access to tickets from my customer's users. Can you suggest a way to resolve this case?
2008/11/11 Jie(Jack) Zhu
Sorry Anton, I do not quite understand what the point is.
Suppose you have the rights to reset a password for a user. Don't you have the rights to do the search on this user and relatives?
This is the problem you trust your agent or not.
I think the access control is quite advanced in OTRS. You have Role and Group. You can create a role and put groups in it. Then add the role to the users.
If you want, you can put different companies into different groups and only set the agent on the groups they are responsible to. This way could narrow down the risk?
In this way, you even can set each user in each group. :)
Regards,
Jack
________________________________
From: Anton Gubar'kov [mailto:anton.gubarkov@gmail.com] Sent: 2008年11月10日 14:41 PM To: User questions and discussions about OTRS. Subject: [otrs] company tickets access control
Hello, list.
I've come across a problem I can't overcome. Suppose I have a request to reset a password on some account for a user due to account locked or password forgotten. I thought I could communicate the new password to a user using external-email or external-note article. But it is really too dangerous to do that!
The whole company tickets collection is searchable! I could find no way control access to the tickets in one CustomerID except one using queues. The queues are used for different purpose usually. The alternative is to quit using CustomerID and treat every user as individual customer. This is not convenient either as some bosses at customers want to watch the requests of their subordinates.
This is the simplest example that comes to mind. There is a lot more sensitive information circulating in the process of IT Service Delivery that should not be shared across entire customer.
I would be grateful for suggestions to solve this security issue.
Regards, Anton Gubarkov.