Assigning Rights to Export Accounts - Confusion, Inconsistencies, and Information Leakage
All of the built-in roles in PMP have a
non-admin privilege named "Export Passwords."
The privileges assigned by role and the privileges assigned by "Offline Access" are not correctly implemented. If the role you are assigned has the "Export Passwords" privilege, it doesn't matter if exporting is disabled for your user, your group, or even globally. You can STILL export all of the accounts under "Resource Actions."
Finally, "Export Passwords" is a misnomer - the function actually exports the accounts and whether or not passwords are displayed is another configurable option.
All of this is a big mess and it took me two hours of experimentation to figure it all out. Can this be fixed?
The privileges assigned by role and the privileges assigned by "Offline Access" are not correctly implemented. If the role you are assigned has the "Export Passwords" privilege, it doesn't matter if exporting is disabled for your user, your group, or even globally. You can STILL export all of the accounts under "Resource Actions."
Finally, "Export Passwords" is a misnomer - the function actually exports the accounts and whether or not passwords are displayed is another configurable option.
All of this is a big mess and it took me two hours of experimentation to figure it all out. Can this be fixed?