Skip to Main Content

Analytics Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Access to application file system with user role and database access permission

Sébastien RouxOct 10 2024

Hi, let me bring to your attention that in Essbase 21 users with User role and Database Access permission are still able to access application files system and then download sensitive files such as data import or data exports files.

We discovered this issue last year following an Essbase migration toward Essbase 21 marketplace, as our customer use native security and users had to access the console in order to reset their password.

A enhancement was raised but recently rejected (35782314 - MP: ESSBASE 21.4 RESTRAIN USER ACCESS TO APPLICATION FILES) as you should consider this behavior implemented by design.

In my own personal point of view this is a flaw by design which impacts both Essbase on independent deployment and marketplace.

https://docs.oracle.com/en/database/other-databases/essbase/21/ugess/user-role.html#GUID-59D9A447-F513-4261-B7FB-FEB390C4A9C2 : "With Database Access permission, you can also view the cube outline, and download files and artifacts from the application and cube directories. Job types you can run include building aggregations (if the cube is an aggregate storage cube), and running MDX scripts. Using the Console, you can view database size and monitor your own sessions."

What would be your point of view respect to it ? Thank you

Comments
Post Details
Added on Oct 10 2024
0 comments
26 views