Security for Project to just allow identities of the relationship of the "Project Team" to see/edit
I have looked into MAC and DAC and basic identity based securities and cannot figure out a solution for this. What I am trying to do is to only allow identities that are on the "Project Team" of the out of the box relationship to project to read/write. Now this is different than a normal "Team" again because it is just a relationship to project that is identities. Any help is appreciated, thank you!
Apply information security header: X-Content-Type-Options:nosniff File Upload not working
Dear All, Apply information security header: X-Content-Type-Options:nosniff File Upload not working My Env description as follows: 1. IIS 10 2. Aras Innovator 11Sp12 Error Message: Refused to execute script from 'localhost/.../include.aspx Because its MINE type ('text/css') is not executable, and strict MIME type checking is enabled. How to resolve the issue?Apply information security header: X-Content-Type-Options:nosniff File Upload not work
Dear All, Apply information security header: X-Content-Type-Options:nosniff File Upload not work My Env description as follows: 1. IIS 10 2. Aras Innovator 11Sp12 Error Message: Refused to execute script from 'localhost/.../include.aspx Because its MINE type ('text/css') is not executable, and strict MIME type checking is enabled. How to resolve the issue?
File Encryption
What can we do to add more security to our files, can the files in the Vault be encrypted? My first take is that one would use a server method on one of the onGet hooks to encode/decode files during the movement from and to the Vault. Can anybody offer any advice doing this ? Kind Regards Riaan
From the Minerva Vault: How to Create Secure Access Using MAC Policy in Aras Innovator
This blog by Damien Destrez covers an incredibly interesting use case for MAC Policy within Aras Innovator. Intro This blog by Damien Destrez goes over an incredibly interesting use case for MAC Policy within Aras Innovator. If you're unfamiliar with MAC Policies we have an introduction blog which can be found here, as well as another concrete example ...
Confidential Data Storing in Aras
Hi All , What would be the ideal way to store values in Aras that are confidential. Example : I am calling an url from within an Aras Method and I do not want to expose the URL value in my Method or on the Item. I was wondering that somehow the value should be stored in the database in an encrypted format and decrypted in the Method where it is invoked. Is there a way to achieve this in Aras and is this the correct approach to handle sensitive data. Regards :)
OAuth - How to use Grant Type "Authorization Code" for token generation
Hi everyone, I recently read this excellent blog post about token authentication using the REST API for Innovator, and in it Christopher Gillis says that ' urrently, I believe "password" is the only authentication type allows [sic]. Aras as a whole is moving towards more types of authentication in 12.0, so this is likely to change in the upcoming releases.' With 12.0 released, I see that OAuthServer\OAuth.config now defines two allowedGrantTypes for the clientRegistry with ID "IOMApp": 'password' - the one that I have been using in my code when generating OAuth tokens for Innovator so far - but also 'authorization_code'. Hence, I was wondering if anyone knows a practical way yet to generate the access token with that grant type, instead of using "password"? Thanks a lot in advance for any info on this subject. Cheers, C
Attribute suppression with multiple parameters
Hi, I'm looking to add a suppression to my ItemAnalysis.Suppressions xml file using 2 parameters in the same attribute suppression. How do I go about this/is this even possible? Currently we're on Aras 11SP12. We're looking at the following case. We want to enable appointing assignees in a workflow using the batchloader. To do so I need to use the following AML: <AML><Item action="add" type="Activity Assignment"> <source_id><Item type="Activity" action="get" where="[Activity].id IN ( SELECT a.ID AS ID FROM innovator.[ACTIVITY] a LEFT JOIN innovator.[WORKFLOW_PROCESS_ACTIVITY] wpa on a.id = wpa.RELATED_ID LEFT JOIN innovator.[WORKFLOW_PROCESS] wp on wpa.SOURCE_ID = wp.ID LEFT JOIN innovator.[WORKFLOW] w on w.RELATED_ID = wp.id LEFT JOIN innovator.[DOCUMENT] d on d.ID = w.SOURCE_ID WHERE a.LABEL_NL = 'name of some activity recognizable to the user, or @parameter1' AND wp.STATE = 'Active' AND d.ITEM_NUMBER = 'itemnumber of some document, or @parameter2' AND d.IS_CURRENT = '1')"> </Item> </source_id> <related_id><Item type="Identity" action="get" where="[Identity].keyed_name='some known identity'"></Item></related_id> </Item> </AML> So to find the right activity I need the name of that activity (or at least what a user recognizes as such) and the itemnumber of the document the activity assignment ultimately relates to. In order to fit this in the format required by the ItemAnalysis.Suppressions I'd have to supply 2 separate parameters but I don't think this is supported. How can I get this to work, with the knowledge that we're looking to migrate to Aras 12 and therefor adding <operating_parameter key="parse_item" value="false"/> to InnovatorServerConfig.xml won't be a longterm solution?
Firefox update cycle
Dear all, due to problems between ARAS 11SP15 and up-to-date Firefox versions, we would like to understand ARAS' planning for aligning new product releases with the Firefox update cycle. As per website, also the latest ARAS release (12.06) is only fully compatible with Firefox ESR 60, whereas this version is already replaced by version ESR68 and the last security updates for ESR60 are from Sept. 2019. link What kind of "lag" (the duration until ARAS Innovator is compliant with the latest ESR version) does ARAS have? link What are other customers' solutions using ARAS but still having an "up-to-date-security-compliant"-browser? Thank you all very much for your time and support Yours sincerely, Marek
