Symptoms
Security Concerns
Diagnoses
We discovered some alarming security concerns today.
Using test accounts that were not added to Workspace as users or admins we found we could perform the following actions listed in the attached table.
How can we mitigate this issue?
Resolution
One way to mitigate access to some of there areas is to set "Workspace Menu Permissions" on which tabs "Reports, Management, Notification Events, Security, User Settings" is available for the user that access K2 Workspace, as per:
http://help.k2.com/onlinehelp/k2blackpearl/UserGuide/4.6.10/webframe.html_Secuirty Reqiurements.html
Please know that once you set permission for a user/group, everyone else who is not that user or in that group will no longer be able to see those tabs (including the account that you are using to set those permissions, as such, please also add that user). Setting permissions on the "Security" tabs will the be "nail in the coffin" per-se and will prevent users (except those that were allowed) access to manage these K2 Workspace Menu Permissions.
Another method is to perhaps set permission using "Authorization Rules" on the IIS level (non-K2), to prevent users from even loading the K2 workspace home page.
