0 Replies Latest reply on Apr 18, 2013 3:32 PM by user8100138

    Discoverer Security issue - SSO

    user8100138
      All,

      We have configured SSO for our ERP application running in Forms/Reports/Discoverer configured with 10g application server in Suse Linux.

      Scenario
      =====

      In our ERP application we have a filter/security kind of a concept where in which a Finance user logged in can use Finance reports and similarly
      other users will be able to see only those discoverer reports which are available to them. We execute the respective discoverer URL
      from application like this

      [http://ipaddress:port/discoverer/plus?cn=cname&_plus_popup=false&framedisplaystyle=separate&wb=wbname&ws=wsheet_name]

      But when SSO authenticated users logins and tamper the discoverer report URL logins into discoverer admin page they happen to see all the reports available in the end user layer. By this way the security enforced in our ERP application is broken, how do we avoid this. Users should not be able to see all the reports available in the end user layer. One option which comes into my mind is to disable discoverer/viewer page or discoverer/admin page for all users i.e. they can see that page only from the application server and not in any of the client PC. Is this a right approach ?

      Appreciate valuable suggestions and thanks in advance