Last Modified: Nov 07, 2022
BIG-IP (all modules)
Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9
Opened: Dec 11, 2013 Severity: 3-Major
The association between "Hosted Content" sandbox and access profile can be inadvertently broken when a resource assignment agent is modified.
Inadvertent lost of access to public sandbox files.
1. Association between "Hosted Content" sandbox and access profile is set up to allow free access to sandbox files at public security level. Free access means access to file without creating any resources in the access policy. 2. There are some resource in the access policy, but none of these resources reference a sandbox file. When these two conditions are present in an access policy, any change to a resource assignment agent would break the association between sandbox and profile access.
Create a dummy resource that references a dummy sandbox file to avoid inadvertent dissociation between sandbox and access profile. Use Webtop and Dummy Webtoplink to Maintain Association Between Sandbox and Profile Access: - Use GUI to upload a dummy text file (*.txt like Blank.txt, because the content of the file can be blank) to sandbox Hosted Content. It's security level can be anything better than "public". - Create a full Webtop resource. - Create a Webtoplink with link-type "Hosted Content", and select the dummy text file in the sandbox. - Use VPE to add the Webtop and webtoplink resources to an Access Policy. As long as the dummy Webtoplink is not modified or removed from the Access Policy, the association between sandbox and profile access is maintained, regardless of changes in other resources. If the Access Policy already uses a Portal Access resource, a dummy Portal Access resource with link-type "Hosted Content" can be added to the Resource Assignment Agent. This dummy resource is not displayed on the Webtop if the option "Publish on Webtop" is not selected. As said above, as long long the dummy Portal Access resource is not modified or removed from the Access Policy, the association between sandbox and profile access is maintained, regardless of changes in other resources.