Orion Security Hole v2

byrona

I am posting this as v2 because I had originally posted this issue HERE a few years back but have been unable to get a status update on it.  I thought I could refresh the issue by posting a new thread on it.

We use account limitations to based on a Custom Node Property to limit our customers to only see the nodes that belong to them.  The problem is that all a customer would need to do is change the viewID in the URL to gain access to a different dashboard.  This generally isn't a problem as they still can't access the nodes; however, they do still have access to static content such as map background images which often includes design diagrams.

This represents an obvious security hole and is keeping us from leveraging maps in Orion which we could really use at this point.

It was suggested to me on my original post above that the issue was logged and was on the short list of things to be resolved.  Could somebody from SolarWinds respond back and let me know if this is still something that is on the road-map?

fcaron

Hi Byron,

The issue you are talking about has also been discussed here:

In the section "This will provide the expected view, but you will want to know about the following behavior of the system: If the Account ACME user can modify the URL ..."

Long story short, this issue is identified but has not been fixed yet and is not planned, at this time, in a short time frame.