function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
John WalterJohn Walter 

Security hole via API?

We developed a custom app in SF that does employee reviews.  An employee completes an extensive self-review, hands it of to their manager, who edits it for a final review, then it gets shared with HR.  The security is such that the employee can only see their own review, the manager can see any of their suborninates reiews, and HR can see them all.  Security is mainly handled through profiles and permission sets.

the problem arises in that we are using a 3rd party ODBC emulator that uses API calls (CDATA - and its a great product), so we can get accees to the tables for various reporting and data updates.  All is fine considering that only an admin would be running the reports and updates.  

But if i was a disgruntled hacker type employee, and i knew i could simply download the CDATA ODBC connector, create a DSN to salesforce, get my security token, and then login, it turns out that the entire employee review table is visible to me - i can see everyone's record.  You can see how this presents a problem?

I found that i could disable API access on certain profiles, which keeps them from being able to connect, but what if in some other area i had an application that required API access for my general users? I dont, but im just trying to envision how this is a secrity hole in general, or might be if we do end up having such an app.

I know that within SF I can lock down specific tables and fields to any degree desired, and ODBC via API will not even see those fields, not to mention the data behind them, but this disgruntiled employee already has full access to all fields for his own review (maybe thats why hes disgruntled?).  What about other kinds of sensitive information that might be in other tables...seems like it would be pretty easy to breach security that everyone thought was locked down via the SF UI.

Am i missing something?  Did anyone else see this and have a problem with it? Is there any other way of locking this down and still having API open for other apps?  Maybe disabling a security token generation which the ODBC config needs?  Do i need some kind of OAuth server (one suggestion so far), of which I dont know anything about yet.
asagarwal.comasagarwal.com
Hi John,

You have written that "it turns out that the entire employee review table is visible to me - i can see everyone's record"

How have you implemented the record level security? If OWD (Organization Wide Default) on your object is set to Private, the employee shouldn't be able to see the records of other employees, even if they connect through APIs.

Ashish (http://www.asagarwal.com)
 
John WalterJohn Walter
Thanks for your response, but yes, the OWD is already set for private for this object