Hi All!
I think we found a security problem using ODAG.
We have a lot of corporative data connections, including to databases, with access controlled by security rules.
But recently we found out an user that using ODAG can access a data connection wich he doesn't have permission, but as ODAG apps are generated through user service permissions (sa_api), he can execute queries against this data connection.
The user from a business area, with professional license, generated an ODAG app originally created by the IT team that uses a database connection. The user can't access de connection directly, but through Script Editor he found the data connection name, created his ODAG apps and now he can use the "forbidden" database.
I haven't found a way to avoid this, other than disabling the On-Demand App Services in QMC.
Are we missing something?
Appreciate any help!
Caiut
ps: Qlik Enterprise, version november-2021