Details
-
Bug
-
Resolution: Fixed
-
High
-
10.66
-
None
-
2
-
Severity 1 - Critical
-
Avengers - RHP8, Stubborn Dragons - RHP9, Stubborn Dragons - SCORP1
Description
Issue Summary
In https://jira.atlassian.com/browse/JIRAALIGN-1132 we implemented a fix in 10.66 that would allow a user to filter out portfolios in Administration -> Portfolio based on the Tier 1 setting.
The intent, however, of the bug report was not only to implement filtering but to also restrict users from being able to see and manage Portfolios that they did not have access to.
This security restriction is what is missing from what we delivered in JIRAALIGN-1132.
Steps to Reproduce
1. login as a non Super Admin user
2. Reset the Tier 1 filter (configuration bar) with no portfolios selected
3. Navigate to Admin -> Portfolio
Expected Results
User should be prohibited from viewing and editing any Portfolios that they do not have access to. In other words, they should see either a restricted list of Portfolios or no Portfolios at all.
Actual Results
4. User is able to view and edit all portfolios.
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
Attachments
Issue Links
- is related to
-
-
- Closed
-
-
ALIGNSP-1570 Loading...
- mentioned in
-
- resolves
-