ION API does not pass user credentials to M3 - User Impersonation

Legacy Contributor

Hello,

We are using ION API in our workflows to update values in M3. The change ID in M3 reflects the service account user ID from IFS instead of the actual user performing the task.

We see this as a serious security lapse in our company.

If for instance we have a customer order for $300,000 and it's in customer order stop and if someone adds a user by oversight to the distribution group who has no access to either M3 or the program, can still approve and M3 is updated and customer order is release for invoicing with no security check. ION does not consider M3 security when it comes to ION API. Only service account linked is used irrespective of any user using the workflow ION API?

Is there a way to overcome this situation?

Can we use endpoint to pass on the user credential who approves the task to perform the M3 API operations?

Thanks

DS Sharma

Jonathan Amiran

Hi,

I don't see it as a security flaw, furthermore, it allows users that are not in M3 to be part of the Workflow (for instance, usually the company's CEO doesn't use M3).

 

The only solution that I see for your problem is to use DrillBacks instead of APIs.

 

Jonathan