2 Replies Latest reply on Nov 23, 2010 6:16 AM by bleearg13

    Disabling breadcrumbs and other security concerns

    bleearg13

      Is there a way to completely disable the "breadcrumbs" feature?  I have accounts set up with account limitations (different customers, etc.) and when they click on one of the breadcrumb dropdowns, by default, they are shown names of devices that they don't even have access to.  Why would I want a customer of mine seeing that a competitor of theirs is also a customer of ours?

      This brings to light a number of security-related concerns I've had with NPM for years.  Lots of information is provided to an account and even with account limitations, they are able to see a LOT more information than they should be able to see.  For instance, the 'AllMaps' page.  I'd like to know why some unprivileged, but knowledgeable user can simply type in 'http://servername/Orion/NetPerfMon/AllMaps.asp' and see maps of my entire network.  Huh?

      I cannot include Syslog, Alert, or Event information in customer views because none of these resources are tied to a specific node.  In other words, if I have the Syslog page on a custom view and that account has a limitation of only devices with a specific customer ID, the customer still sees my entire network's syslogs.  I have not tried to create a View with a View Limitation to test this out, because that just doesn't scale.

      I've taken to hand editing the .asp and .aspx files to remove information in resources that I don't want customers to see.  For instance, in the 'Percent Utilization of All Interfaces' resource, why does my customer need to see a mouseover popup of the switch name, IP address, CPU utilization, and model number of the equipment their port is attached to?  They don't.

      When new versions come out, why does Orion need to add a bunch of extra pages and tabs to every account in my system?  With 50+ accounts that have minimal viewing capabilities, suddenly an upgrade adds a new "Virtualization" tab, which is completely unnecessary.  Now I have to remove this option from 50+ accounts.  Thankfully, the new addition of multiple account editing saved me some time in doing this.