Discussions
Categories
Groups
Community Home
Categories
INTERNAL ENABLEMENT
POPULAR
THRUST SERVICES & TOOLS
CLOUD EDITIONS
Quick Links
MY LINKS
HELPFUL TIPS
Back to website
Home
Content Management (Extended ECM)
API, SDK, REST and Web Services
Impersonation
Sergio_Pinés_Martín
I have an asp.net application using LAPI, which logs in to the livelink server with a special account. I would like to use impersonation in some cases -- e.g., when downloading a document, I'd like the actual user to figure in the Audit; the actual user cannot create folders nor upload documents directly in Livelink - only the application user can, hence the user can only do these things through the application.To use impersonation, it is required that my asp.net application user account be Admin. But this poses security problems, as the asp.net application should only have permissions on a small branch of the entire livelink site - we don't want the app user account to have full blown system admin rights.Is there any way I could make my application user an Admin, but then revoke all risky system admin rights from it, leaving only the barely necessary, so that I can use impersonation via LAPI?ThanksSP
Find more posts tagged with
Comments
Sherrie_Wang_(eu0016200user3_-_(deleted))
In the LAPI documentation, for the Impersonate function, it says that "This function lets the Admin user impersonate (assume the identity and rights) of another user for the duration of the session." However, I found that any user with System Administration rights will be able to impersonate, not necessarily be the Admin user. In order to impersonate, it requires the user privilege includes UAPI.PRIV_PERM_BYPASS (256), so the least privilege required for a user to be able to impersonate is 257 = 1 (PRIV_LOGIN) + 256 (PRIV_PERM_BYPASS). This can only be done from database side. From the Livelink UI, the least privilege will be 271 which is 15(Login Enabled) + 256 (System Administration Rights), it also equals to UAPI.PRIV_LOGIN (1) | UAPI.PRIV_UAPI_SESSION (2) | UAPI.PRIV_DAPI_SESSION (4) | UAPI.PRIV_WAPI_SESSION (8) | UAPI.PRIV_PERM_BYPASS (256). At the end, it still requires System Administration rights to be able to impersonate, so if an application user needs only impersonation right without system administrator rights, the patch is still the best way.There are also other discrepancies in the LAPI guide saying that System Administration rights includes User Administration rights which is not correct, because the System Administration rights does not include the UAPI.PRIV_UAPI_ADMIN (16). This can be proved from the UI: if a user is assigned System Administration rights without User Administration rights, the user can not add/Edit users/groups.I got the above results from Livelink version 9.5.0.1.
Louis_Routhier
Does any OT specialist see drawbacks to this technique?
