Avoid reading this if you are not going to do anything about it
I was using one of our applications and noticed the lack of column sorting made the view hard to use (we'll come back to this). So I thought I should just fix it. Since IT rarely lets me have Designer access to production databases, I went looking for another way. It turns out the database inherited it’s design from a template. It also turns out the template was not on the server (I created a private view in the Catalog to show this - yes, it is up to date, and yes I did remove the part of the selection formula that hid databases not shown in the Catalog). Next, I went looking for a database to hijack. Back to the catalog.
The view Access Control Lists by level quickly showed me a database with -Default- access of Manager. It was called Discussion Test, had no documents, and was created in 2003. Perfect candidate to become my new template. Copy the original database, design only and create a template locally. Fix the views. Now set the hijacked database to be a template and replace the design from my local copy. Now, sign the database with the active server id. Last step, sit back and wait for the design task to fix my database. By the time anyone notices, any evidence in the log file will be gone.
So, what are you going to do about it? Right now you are going to open your Catalog and identify any database or template where the -Default- access is Manager and change it. Don't stop there. Also check the databases with -Default- access set to Designer - I can hijack those also.
And all this came about because the requirements for the application didn't include a requirement that the sort sequences made sense! Is that so hard?
The view Access Control Lists by level quickly showed me a database with -Default- access of Manager. It was called Discussion Test, had no documents, and was created in 2003. Perfect candidate to become my new template. Copy the original database, design only and create a template locally. Fix the views. Now set the hijacked database to be a template and replace the design from my local copy. Now, sign the database with the active server id. Last step, sit back and wait for the design task to fix my database. By the time anyone notices, any evidence in the log file will be gone.
So, what are you going to do about it? Right now you are going to open your Catalog and identify any database or template where the -Default- access is Manager and change it. Don't stop there. Also check the databases with -Default- access set to Designer - I can hijack those also.
And all this came about because the requirements for the application didn't include a requirement that the sort sequences made sense! Is that so hard?
Category Best Practices Compliance
| Permalink |
|
|
|
|
|
