Global Security Forum

 View Only
  • 1.  Ibm security identity manager v6.0.2 Dynamic roles bug

    Posted Tue August 15, 2023 08:20 AM
    Hello! Recently I've found out a bug in dynamic roles evaluation. Prerequisites:
    1. Clean ISIM 6.0.2.4
    2. Two dynamic roles specified. One of them has 1) multi-valued attribute 2) with unicode characters 3) and substring match. Second role for controle.
    For example:
    "Test role 1" with filter "(&(title=superhero)(erAliases=雪*))"
    "Test role 2" with filter "(title=superhero)"
     
    When a user is created with attributes, matching both roles (title=superhero, erAliases=雪風), only Test role 2 is assigned to user. If a user is modified, it still does not assign Test role 1.
    A user can be found in User management, if the filter from Test role 1 is copied to Advanced user search.
     
    Only modifyind the role itself does include the user into that role.
    Moreover, if a user with said attributes has already been in role and user is modified - the role disappears.
     
    As the whole provisioning policies mechanism can rely on dynamic roles, I consider such behaviour a significant security impact.


    ------------------------------
    Amogh Blue
    ------------------------------


  • 2.  RE: Ibm security identity manager v6.0.2 Dynamic roles bug

    Posted Wed August 16, 2023 07:28 AM

    An update.

    The attribute does not have to be multi-valued. So the conditions to reproduce are: 1) attribute has unicode characters and 2) substring is used. The role filters can be simplified:

    "Test role 1" with filter "(preferredLanguage=Ўзб*)"
    "Test role 2" with filter "(preferredLanguage=Ўзбек)"


    ------------------------------
    Amogh Blue
    ------------------------------



  • 3.  RE: Ibm security identity manager v6.0.2 Dynamic roles bug

    Posted Mon September 04, 2023 08:06 AM

    Hi,

    It looks like to be target of a support incident, nevertheless the version 6.X is out of support, then you will be to migrate a validate the behaviour in version 10.X



    ------------------------------
    Felipe Risalde Serrano
    Security Expert
    Banco de España
    ------------------------------



  • 4.  RE: Ibm security identity manager v6.0.2 Dynamic roles bug

    Posted Mon February 26, 2024 11:06 AM

    An update 2.

    According to Felipe Risalde Serrano's suggestion, tested the described behaviour in latest ISIM (ISVG IM) 10.0.1.5.
    The bug remains there as well (moreover, design forms and change operations servlet bugs added).



    ------------------------------
    Amogh Blue
    ------------------------------



  • 5.  RE: Ibm security identity manager v6.0.2 Dynamic roles bug

    Posted Tue February 27, 2024 04:44 AM

    You need to raise a case to get this reported - this is not an official support forum - just a place where informal help is given on best effort basis.

    I wondering if this is a local issue as I would have expected that this was found by many users. Can you check what code page your ldap server is running - it is in <instance>/etc/ibmslapd.conf  in the ibm-slapdSetenv: DB2CODEPAGE=1208 setting

    HTH



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 6.