When a new user is created (via the My Cloud User Administration screen) with the webMethodsioIntegration-User role (from any provider, either SAG Cloud or a separate IdP via SAML 2.0), once the user logs in to webMethods.io Integration, they are automatically assigned the “Default” role and can see all projects by default. This is a security risk for new users that are onboarded as they should have the least amount of access required. Ideally, the default would be configurable to what tenant admins want, in our case we want to default it to access to some projects for tutorials and examples only.
3 Likes
Hello Ming,
Firstly welcome to the community 
Agree to your point default access to projects once user logs in, but user has an option to restrict the user on the project level by defining the custom roles and assigning them to user.
As webMethodsioIntegration-User is on the SAG Cloud level which will allow user to access all projects but on integration level you can restrict the user by defining the custom roles.
Hope this helps.
Regards,
Bharath
Hi Bharath,
Thanks for your reply!
I understand what you’re saying, this is what we have been doing but it is a security risk because we cannot apply that permission straight away. After creating the user in SAG Cloud (or via a third party IdP), we do not see the user created in webmethods.io integrations until the user logs into SAG Cloud and clicks on webMethods.io integrations. For this reason, it is hard for us to intercept the user after they have clicked on the webmethods.io integrations tile to set the role. At the very least, the user will see all projects straight away and if we react fast enough, we can limit their access, but this should not be the default behaviour.
As a general rule for most applications, users should never have the permission to everything by default. The workaround suggested relies on a manual step for administrations change the user’s role inbtween the time they login and the time they click a project, which could be seconds. We advised the users to share their screen with us when they login at first, but this relies on the honesty of the users, so the security risk is of high possibility and given the number of integrations we have, it is of high impact too.
Thanks.
1 Like
Hello Ming,
Honestly i am completely with you on this topic, there are some improvements should be done around this topic especially on the user management and access part.
Accessing projects by default is truly a security violation which has to be treated differently, let me take my part in having discussions internally around this and also i would suggest to raise an incident for tracking purpose.
Regards,
Bharath
Hi Bharath,
We do have plans to improve this in the roadmap, please reach out to me if you want to see what we have planned.
regards,
John.
1 Like
Hello @John_Carter4 and @Bharath_Meka1!
I’m having the same problem @Jing_Ming_Guo. Has there been any improvements around default access for new users since the post was made?
BR,
Emil
hey Emil,
Unfortunately there has not been any updates on this. It was raised as an idea under https://webmethods.ideas.aha.io/ideas/WIO-I-130 and it’s still marked as “under consideration”.
Thanks.
Hello Jing!
Thanks for the information. Hopefully it can be prioritized soon since it’s currently a big security risk.
BR,
Emil