Introduction

In order to facilitate the detection of empty ACLs, which can lead to the exposure of sensitive information to not logged-in users as reported on October 19th 2023, we have made available the attached Update Set.

Execution Instructions and Results

The  Update Set includes a fix script which needs to be run as a regular fix script in the Global Scope. Then, in the Progress Worker form for the script execution, the Message field will display a list of all empty ACLs, listing their name and sys_id. Note that you will need to scroll down all the way to the bottom of the Message field to see this information.

The script will group any detected ACL (on either a table or a dictionary entry) into the following categories:

1. ACLs found with no conditions, no roles and no script
2. ACLs found with no conditions, no script and public role
3. ACLs found with no conditions, no role/public role and a potential weak script. (Note: a potential weak script is one where the script always evaluates to true in a single line).

Each category header will list the number of ACLs found. There will follow one line per ACL in each group, with the format "QC - ACL scan: <ACL name>  - <ACL sys_id>

In addition, a link will be generated to filter the the ACL table with the sys_ids in each group. Note that the link may not be valid if the number of ACLs in each group exceeds the maximum URL size limit.

The system log will also contain one line per detected ACL, with the prefix QC - ACL scan:. However, because log ordering is not deterministic the category headers will likely be interspersed with the listing of ACLs themselves, and will be harder to interpret.