When you have restrictions (object/row/table) set on a universe, Deski will ignore all those restriction when you get your account disabled in a 2nd Deski session.
Account can get disabled when e.g. “Disable account after N failed attempts” is set in CMC.
Example:
open a 1st DeskI session and create a report on a restricted universe. Security and restriction are applied correctly (e.g. cannot see object “salary”). Do not close this session.
open a 2nd DeskI session. Now login several times with a wrong password, unitll your account gets disabled
when your account is disabled, go back to the 1st Deski session and edit the dataprovider … all restrictions are ignored! So e.g. the object “salary” is suddenly visible and can be queried!
Problem is still there in FP2.4. Reported the problem at support, so earliest in the next FixPack this will be solved.
Meanwhile, I do not use “Disable account after N failed attempts”. This way users cannot disable an account themselves.
Thanks for that feedback. But easy to understand. Restrictions are stored within the CMS. Thus as soon as you lock the user account there is no longer communication between the CMS and deski.
If for example you go within the CMC and lock the report to that user or disable him the right to use deski it will be probably the same behaviour.
Correct but in BO6 you don’t really communicate with the repo. I mean just when you log on. Architecture is really different now. You found a very good security leak