Need user access security in the JadeMonitorSchema JadeSDSAdmin and RPSManager applications
Reference contact# for this JEDI is 66544.
The JadeSDSAdmin and RPSManager applications allow any user full access.
These applications should at a minimum first require signon and user / password verification as the monitor does when JadeMonitorSecurity.MonitorSecurity=DevelopmentSecurity (and a development security library is configured and installed).
Preferably utilisation of an access control capability similar to jadeDevelopmentFunctionSelected usage in monitor would be provided to approve/deny & audit actions.
JadeSDSAdmin functions such as disabling connections and initiating takeovers could then be auditable and controlled.
RPSManager functions such as extracting or loading data, or executing SQL scripts, could then be auditable and controlled.
These are examples, not a an exhaustive list.
This all comes about because we are in the process of certifying compliance with the Australian Taxation Office (ATO) digital service providers (DSPs) requirements for products and services hosted by the client. In these cases the client is self hosting our software product and using functionality for payroll / tax that interacts with ATO digital services.
The general requirement we need to address here, as I understand it, is an access control requirement where users should only be able to access functions, services, and other resources, for which they possess specific authorization, and those access control decisions (success or failure) can be logged. Such access control also limits the possibility of denial of service, or tampering issues.
This would need to be a hot fix to 2018.
Kerry Glynn
