Error: Invalid spaceKey on retrieving a related space config.

Setting security restrictions on file uploads

You can restrict BMC Remedy AR System users from uploading and viewing files with certain extensions in BMC Remedy Mid Tier. This feature helps prevent users from uploading malicious attachments and viewing them.

The following sections are provided:

Restricting attachments

Use the Attachment Security tab in the AR System Administration: Server Information form in the BMC Remedy AR System Administration Console. You must be logged on as an administrator to perform this procedure.

To restrict attachments

  1. In a browser, open the AR System Administration Console, and click System > General > Server Information.
    The AR System Administration: Server Information form appears.
  2. Click the Attachment Security tab as shown in the following figure:
    AR System Administration: Server Information form — Attachment Security tab

    (Click to expand the image.)
  3. Enter the attachment options that you need, and click Apply.
    The following table describes the available options:
Field nameDescription
Attachment exception list

The list of Form names (field ID) for which attachment limitations do not apply—for example, Data Visualization Module(3450298).

If the user uploads any attachment in the form fields specified in attachment exception list, these fields are not validated and the attachments are uploaded without verification in the fields.

Attachment criteria
  • Include all attachments No restrictions on uploading attachments
  • Allow attachments with following extensions — Upload attachments with extensions listed in Comma separated list of limit extensions.
  • Disallow attachments with following extensions Do not upload attachments with extensions listed in Comma separated list of limit extensions. All other attachments are allowed.
Comma separated list of limit extensionsAttachment extensions that are allowed or not allowed, based on the Attachment criteria selected.
Attachment validation plugin name

Name of the custom validation plug-in that you developed for verifying attachments.

The custom validation can perform any function per your requirements. You can develop the plug-in for performing functions like verifying the attachment containing malicious content, verifying whether the attachment is a virus, verifying whether the user has changed the extension for uploading the attachment, and so on.

Example: EXAMPLE.ARF.SIMPLE (name of the custom plug-in that you developed)

If you are using a C plug-in, add the .dll/.so path in the ar.cfg or ar.conf file in the following format to load the plug-in: Plugin: <CompletePath>/myplugin.dll

Specifications for plug-in development:

The custom validation plug-in should be a Filter API Plug-in, which has only one API. Following is the prototype for the API:

void ARFilterApiCall(void *object, ARValueList *inValues, ARValueList *outValues, ARStatusList *status)

  • object — Name of the object
  • inValues — Indicates that it has only one value, which is of attachment type 
  • outValues —  Indicates that it has only one value, which is of attachment type only when status is warning; otherwise, the value is Null
  • status  — Indicates the status of the attachment validation (OK, Warning or Error). If the status is Warning, the outValue is used for saving attachment data.
Display criteria
  • Allow display of all attachments — Users can view all the attached files by clicking the Display button in the Attachments pool.
  • Allow display of attachments with the following extensions — Users can view attached files that have extensions specified in Comma separated list of display extensions.
  • Disallow display of attachments with the following extensions Users cannot view attached files that have extensions specified in Comma separated list of display extensions. All other attachments are allowed.
  • Disallow display of all attachments Users cannot view any attachment. 


Comma seperated list of display extensionsLists the attachment extensions that you want to allow or not, based on Display criteria.

Attachments flowchart

The following flowchart helps you understand the attachment security based on the options that you select from the Attachment criteria list.

Attachment security flowchart

Attachment_Filter_Flowchart

Scenarios for restricting attachments

The following table lists examples of parameter values for requests that include attachments:

ParameterScenario 1Scenario 2Scenario 3Scenario 4Scenario 5Scenario 6
Attachment criteriaInclude all attachmentsAllow attachment with the following extensionsAllow attachment with the following extensions

Allow attachments with the following extensions

Disallow attachments with the following extensionsDisallow attachments with the following extensions
Comma separated list of limit extensionsdoc xls jpg gifdoc xls jpg gifdoc xls jpg gifdoc xls jpg gifexe dll dbexe dll db
Attachment exception list-Data Visualization Module(41006), Report (2000012)----
Attached File examples

example.dll, example.gif

example.jar (JAR File field on Data Visualization Module form) example.doc, example.jpg example.exe, example.db example.doc, example.txt example.exe, example.dll
StatusFile is attached. All attachment options are permitted.File is attached. The JAR File field ID is added to the attachment exception list.File is attached. Its extension is on the list of permitted extensions.

File is not attached. Its extension is not on the list of permitted extensions.

File is attached. Its extension is not on the list of disallowed extensions.

File is not attached. Its extension is on the list of disallowed extensions.

Disabling views

You can also restrict users from viewing the content of certain types of files. Use the Attachment Security tab in the AR System Administration: Server Information form in the BMC Remedy AR System Administration Console. You must be logged on as an administrator to perform this procedure.

  1. In a browser, open the AR System Administration Console, and click System > General > Server Information.
    The AR System Administration: Server Information form appears.
  2. Click the Attachment Security tab, shown in the following figure
    AR System Administration: Server Information form — Attachment Security tab

    (Click to expand the image.)
  3. Enter the display options that you need, and click Apply.

For any particular attachment that you want to view, the Display button in BMC Remedy Mid Tier or the Display menu command in the BMC Remedy User Tool is enabled only if Display criteria enables you to view that attachment. For all other attachments, the Display button or menu command is dimmed.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Leonard Warren

    I am a little confused on the "Comma separated list of limit extensions."  In v8.1 documents, the example shows the extensions with a comma and a space in between the next extension.  In v9.1 (here), the example has a comma but no space.  Does it matter if a space is involved or not?

    Also in the scenarios for restricting the extensions, the sample ones DO NOT have a comma separating the extensions but it does show a space.  Can this be changed to reflect with commas and if space/no space is needed?

    Thanks

     

    Aug 08, 2016 12:36
  2. Suhail Soudagar

    Hi Team,

    Please Add a section for JAVA plugin in the “Attachment validation page” to help future developers,

    Please refer: https://communities.bmc.com/message/606918#606918

    Thanks, Suhail

    Sep 21, 2017 02:52
    1. Piotr Sadowski

      Hi Suhail, when I click on this refer link I receive message: "Unauthorized The area of BMC Communities is visible to registered logged in users. If you are logged in when you receive this message then you might not have sufficient access privileges to view requested page. Please contact us if you need any further assistance."

      Mar 30, 2018 08:14
      1. Anagha Deshpande

        Hello Piotr,

        I will check this issue.

        Regards,

        Anagha

        Apr 01, 2018 09:58
        1. Piotr Sadowski

          Hi Anagha, do you have any update regarding refered link https://communities.bmc.com/message/606918#606918? It is still does not working. Also what I found there is no such option like "Include all attachments" in Attachment criteria, but there is "Allow all attachments". Could you please correct this? Thanks Regards, Piotr

          Aug 12, 2018 06:04
          1. Anagha Deshpande

            Hello Piotr,

            We are working on this issue. We will provide an update soon.

            Regards,

            Anagha

            Aug 12, 2018 10:45
  3. Lj Longwing

    The section titled 'Attachment validation plugin name' doesn't give sufficient information about how to write a plugin.  The example provided is of a C plugin, we need one from a Java plugin.  There needs to be sufficient information to specify what the inputs are, expected outputs and how errors are handled.  Additionally, I cannot find ANYTHING related to how you capture logging of what's happening in that plugin or if the plugin is even firing, if it's loading, or anything related to the plugin.  Additional documentation is needed please.

    Feb 20, 2018 02:32
  4. Eman Abdelhamid

    Is there a solution for upper case and lower case extension issue other than repeating the same extension twice in upper/lower case?

    Jan 02, 2019 07:27
    1. Anagha Deshpande

      Hello Eman,

      We are working on your query. We will respond shortly.

      Regards,

      Anagha

      Jan 02, 2019 09:59
      1. Anagha Deshpande

        Hello Eman,

        I apologies for the late response.

        Currently, there is no solution for upper case and lower case extension issue. Please contact BMC Support for further assistance.

        Regards,

        Anagha

        Oct 08, 2019 11:23