This documentation applies to the 8.1 version of Remedy Action Request System, which is in "End of Version Support."

To view the latest version, select the version from the Product version menu.

Setting security restrictions on file uploads

You can restrict BMC Remedy AR System users from uploading and viewing files with certain extensions in BMC Remedy Mid Tier. This feature helps prevent users from uploading malicious attachments and viewing them.

The following sections are provided:

Restricting attachments

Use the Attachment Security tab in the AR System Administration: Server Information form in the BMC Remedy AR System Administration Console. You must be logged on as an administrator to perform this procedure.

To restrict attachments

  1. In a browser, open the AR System Administration Console, and click System > General > Server Information.
    The AR System Administration: Server Information form appears.
  2. Click the Attachment Security tab as shown in the following figure:
    AR System Administration: Server Information form — Attachment Security tab

    (Click to expand the image.)


  3. Enter the attachment options that you need, and click Apply.
    The following table describes the available options:
Field nameDescription
Attachment criteria
  • Include all attachments No restrictions on uploading attachments
  • Allow attachments with following extensions — Upload attachments with extensions listed in Comma separated list of limit extensions.
  • Disallow attachments with following extensions Do not upload attachments with extensions listed in Comma separated list of limit extensions. All other attachments are allowed.
Comma separated list of limit extensionsAttachment extensions that are allowed or not allowed, based on the Attachment criteria selected.
Attachment exception list

The list of Form names (field ID) for which attachment limitations do not apply—for example, Data Visualization Module(3450298).

If the user uploads any attachment in the form fields specified in attachment exception list, these fields are not validated and the attachments are uploaded without verification in the fields.

Attachment validation plugin name

Name of the custom validation plug-in that you developed for verifying attachments

The custom validation can perform any function per your requirements. You can develop the plug-in for performing functions like verifying the attachment containing malicious content, verifying whether the attachment is a virus, verifying whether the user has changed the extension for uploading the attachment, and so on.

Example: EXAMPLE.ARF.SIMPLE (name of the custom plug-in that you developed)

If you are using a C plug-in, add the .dll/.so path in the ar.cfg/ar.conf file in the following format to load the plug-in:
Plugin: <CompletePath>/myplugin.dll

Specifications for plug-in development:

The custom validation plug-in should be a Filter API Plug-in, which has only one API. Following is the prototype for the API:

void ARFilterApiCall(void *object, ARValueList *inValues, ARValueList *outValues, ARStatusList *status)

    • object — Name of the object
    • inValues — Indicates that it has only one value, which is of attachment type 
    • outValues —  Indicates that it has only one value, which is of attachment type only when status is warning; otherwise, the value is Null
    • status  — Indicates the status of the attachment validation (OK, Warning or Error). If the status is Warning, the outValue is used for saving attachment data.

Attachments flowchart

The following flowchart helps you understand the attachment security based on the options that you select from the Attachment criteria list.

Attachment security flowchart
(Click to expand the image.)

Attachment_Filter_Flowchart

Scenarios for restricting attachments

The following table lists examples of parameter values for requests that include attachments:

ParameterScenario 1Scenario 2Scenario 3Scenario 4Scenario 5Scenario 6
Attachment criteriaInclude all
attachments
Allow attachment
with the following
extensions
Allow attachment
with the following
extensions

Allow attachments
with the following
extensions

Disallow attachments
with the following
extensions
Disallow attachments
with the following
extensions
Comma separated
list of limit extensions
doc
xls
jpg
gif
doc
xls
jpg
gif
doc
xls
jpg
gif
doc
xls
jpg
gif
exe
dll
db
exe
dll
db
Attachment exception list-Data
Visualization
Module(41006),
Report
(2000012)
----
Attached File examples

example.dll,
example.gif


example.jar
(JAR File field
on Data
Visualization
Module form)
example.doc,
example.jpg
example.exe,
example.db
example.doc,
example.txt
example.exe,
example.dll
StatusFile is attached.
All attachment options
are permitted.
File is attached.
The JAR File field ID
is added to the
attachment
exception list.
File is attached.
Its extension is
on the
list of
permitted
extensions.

File is not attached.
Its extension is not
on the list of
permitted
extensions.

File is attached.
Its extension is
not on the list of
disallowed
extensions.

File is not attached.
Its extension is on
the
list of disallowed
extensions.

Disabling views

You can also restrict users from viewing the content of certain types of files. Use the Attachment Security tab in the AR System Administration: Server Information form in the BMC Remedy AR System Administration Console. You must be logged on as an administrator to perform this procedure.

  1. In a browser, open the AR System Administration Console, and click System > General > Server Information.
    The AR System Administration: Server Information form appears.
  2. Click the Attachment Security tab, shown in the following figure
    AR System Administration: Server Information form — Attachment Security tab

    (Click to expand the image.)
  3. Enter the display options that you need, and click Apply.
    The following table describes the available options:
Field nameDescription
Display criteria
  • Allow display of all attachments — Users can view all the attached files by clicking the Display button in the Attachments pool.
  • Allow display of attachments with the following extensions — Users can view attached files that have extensions specified in Comma separated list of display extensions.
  • Disallow display of attachments with the following extensions Users cannot view attached files that have extensions specified in Comma separated list of display extensions. All other attachments are allowed.
  • Disallow display of all attachments Users cannot view any attachment. 

The display criteria are applied to all the existing extensions in the BMC Remedy Mid Tier application.

Comma separated list of display extensionsLists the attachment extensions that you want to allow or not, based on Display criteria

For any particular attachment that you want to view, the Display button in BMC Remedy Mid Tier or the Display menu command in the BMC Remedy User Tool is enabled only if Display criteria enables you to view that attachment. For all other attachments, the Display button or menu command is dimmed.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Comments

  1. Andre Lhoest

    Hi,

    attachment security is available since 7.6.04 SP 5. (Came to this site via Service Pack 1: 8.1.01 )

    Nov 28, 2014 08:31
    1. Prachi Kalyani

      Hello Andre,

      Thank you for your comment.

      You are correct, the feature Security restrictions on file uploads was introduced in BMC Remedy AR System 7.6.04 SP5. But the feature is also part of the BMC Remedy AR System version 8.1. So it is documented here.

      Thanks,

      Prachi

      Dec 01, 2014 12:57
  2. Sameer Alomari

    Dear Team ,

    i have AR version 8.1.00 201301251157 and Attachment security is not there can i know why , even i am longing as administrator ??

    Regards,,

    Nov 26, 2015 08:16
    1. Poonam Morti

      Hi Sameer,

      I will verify this with the SME and get back to you.

      Thanks,

      Poonam

      Nov 26, 2015 11:07
    1. Poonam Morti

      Hi Sameer,

      I have verified this with the SME. The Attachment Security tab is enabled from BMC Remedy AR System 8.1 SP1 and is not available for AR System 8.1.00.

      Thanks,

      Poonam

      Nov 30, 2015 05:04
      1. Sameer Alomari

        Hi Poonam ,

        so if i want to prevent some attachment type , i cant with My current version or it is still possible with another way?
        thank you

        Dec 07, 2015 02:23
        1. Poonam Morti

          Hi Sameer,

          You need to upgrade to BMC Remedy AR System 8.1 SP1.

          Thanks,

          Poonam

          Dec 18, 2015 03:56
  3. Rosemary Ingrey

    Scenario 1 refers to "example.dll" being attached, but it's not included in the allowed file extensions list. Possibly meant to be "example.doc"?

    Apr 06, 2017 06:44
    1. Anagha Deshpande

      Hello Rosemary,

      I will check this with SME and will write back to you,

      Regards,

      Anagha 

      Apr 06, 2017 10:03
      1. Anagha Deshpande

        Hello Rosemary,

        Sorry for responding late.

        Scenario 1 specifies Attachment criteria = “Include all attachments”, so list of extensions is ignored in this case and the example.dll file is allowed in such a case. The documentation is correct.

        Regards,

        Anagha

        Jul 17, 2017 11:25