Problem with secure information about servers for each user (GDPR)
Answered
If I add a new user to the system, he has the right only to e.g. live view of specific cameras on a single server, it works correctly. The problem is that after selecting Information (F1) from the menu
- this user has information about all servers in the system - names and IPs of servers .
Information about the servers in the system should be available only to the Administrators group and should not be displayed to every, any user.
How can I disable access to this function in the menu for users other than the administrator group?
-
- Authorized Reseller
Andrzej, I have exactly the same observations. Typical user account should not have access to sensitive administrative information like IP addresses of all the servers working in a hive. To be honest, I have even more examples (including API), how to read such sensitive information from Nx servers, even without having to login to the system. I already sent inquiry to Nx support and asked them to hide such information from users (no matter logged-in or not). I think they will respond with some patches, but not sure when.
0 -
Hi Andrzej Róg,
Can you elaborate how this affects security? When I'm on the network, there are tons of tools I can use to discover any device on the network.
To be clear; IP addresses and names of servers do not necessarily fall under the GDPR. The GDPR is intended to document and protect in someway personal data. The only way I see it could violate the GDPR is if the name of the server immediately refers to an individual (name=server to observe mrs. XYZ) and the individual didn't give approval for that.
Some fun story about the GDPR and the most commonly used operating system and office application.
Since the report, adjustments were made solely for the Dutch government and users have to do some workarounds to comply to the GDPR. For all other users, the adjustments aren't available, so the majority of people in the EU, will never comply to the GDPR at all unless they use another OS and office application.
0 -
Hi Norman Graafsma, you may be right about the GDPR but I can't share system-wide data with my clients.
Clients do not want others to see their server.0 -
Hi Andrzej Róg,
Clients can't see servers of other users, they only see severs that were merged into the same system.
If (no promises) we are going to change it, to which kind of user roles do you consider it reasonable to display the information?
And to which user roles definitely not and why?Ps. I'll move this topic to the New Feature Ideas section, so our product team can read it as well.
0 -
Hi Andrzej Róg,
We created a task to investigate the impact of changing this option and making the 'About...' information only available for the owner and administrators.
If the impact is low, we will try to add it to a next patch of version 4.1. If the impact is larger, we will add it to version 4.2 or even later, depending on the severity of the impact.
JIRA-VMS-20457
0 -
Hi Norman Graafsma, thank you for your quick response - in my opinion such a solution will be very good.
0 -
Hi Andrzej Róg and Tomasz Polus,
We just released the October patch in which we fulfilled this request, and only administrators can see servers in the Desktop Client “About" dialog.
Admin view:
Other users:
0 -
Link to download patch not works :(
Regards
0 -
Hi Andrzej Róg,
Please check our Customer Portal and head to the tab Monthly Patch to find the latest patch, that includes all fixes of the previous patches.
0 -
Thanks for the tip. :)
Regards
0
Please sign in to leave a comment.
Comments
10 comments