Q: In Time Traveler, how do I completely hide an attribute’s content from a role?
Specifically, I have an attribute that I’d like to be able to hide from all roles except Admin ...
I’ve managed to use the Exclude option in Security Settings to hide the attribute from a specific role but I’ve found that someone with this role can still perform a query in Time Traveler advanced search on the parent silo if they want to, specifying the attribute name and a partial search string. So if they knew the attribute could contain the substring ‘VIP’ for example, they could query where attribute contains VIP and see all people tagged as VIPs.
Is there a way to prevent this?
A: Leaking data via target attribute search is a known limitation of the role system.
To prevent this kind of information leakage you need to avoid assigning the Search feature permission to the role. Service Panel provides a workaround for this limitation by including the “Field Query Only” option which limits search to select fields.
One option for your environment would be to add a Time Traveler link to your service panel virtual silo, and provide users in constrained roles access to the Identity Panel “Object” feature, but not the “Search” feature.
Please sign in to leave a comment.