# Unauthenticated Node Service Operations

LLMS index: [llms.txt](/llms.txt)

---

<div id="pslens-context-panel" class="card border-info mb-4 d-none">
  <div class="card-header bg-light text-info py-2 fw-bold d-flex align-items-center border-bottom border-info-subtle">
    <i class="bi bi-info-circle-fill me-2"></i>
    <span>Tailored Operational Context</span>
  </div>
  <div class="card-body p-0">
    <ul class="list-group list-group-flush">
      <li id="row-db" class="list-group-item d-flex align-items-center justify-content-between py-2 d-none">
        <strong>Target Database:</strong>
        <span id="ctx-db" class="badge bg-secondary font-monospace">&mdash;</span>
      </li>
      <li id="row-type" class="list-group-item d-flex align-items-center justify-content-between py-2 d-none">
        <strong>Context Type:</strong>
        <span id="ctx-type" class="badge bg-light text-dark border font-monospace text-uppercase">&mdash;</span>
      </li>
      <li id="row-severity" class="list-group-item d-flex align-items-center justify-content-between py-2 d-none">
        <strong>Alert Severity:</strong>
        <span id="ctx-severity" class="badge">&mdash;</span>
      </li>
      <li id="row-time" class="list-group-item d-flex align-items-center justify-content-between py-2 d-none">
        <strong>Triggered Time:</strong>
        <span id="ctx-time" class="text-muted small">&mdash;</span>
      </li>
      <li id="row-details" class="list-group-item py-2 d-none">
        <strong id="label-details" class="d-block mb-1">Firing Context:</strong>
        <code id="ctx-details" class="d-block p-2 bg-light border rounded small" style="white-space: pre-wrap; word-break: break-all;">&mdash;</code>
      </li>
    </ul>
  </div>
</div>

<script>
  (function() {
    const params = new URLSearchParams(window.location.search);
    const metadata = params.get('metadata');
    if (!metadata) return;

    try {
      
      const base64 = metadata.replace(/-/g, '+').replace(/_/g, '/');
      const jsonStr = decodeURIComponent(escape(window.atob(base64)));
      const data = JSON.parse(jsonStr);

      if (data) {
        let hasData = false;

        if (data.db) {
          document.getElementById('ctx-db').textContent = data.db;
          document.getElementById('row-db').classList.remove('d-none');
          hasData = true;
        }

        if (data.type) {
          document.getElementById('ctx-type').textContent = data.type;
          document.getElementById('row-type').classList.remove('d-none');
          hasData = true;
        }

        if (data.severity) {
          const severityBadge = document.getElementById('ctx-severity');
          const severity = data.severity.toLowerCase();
          severityBadge.textContent = severity.toUpperCase();
          if (severity === 'critical') {
            severityBadge.className = 'badge bg-danger';
          } else if (severity === 'warning') {
            severityBadge.className = 'badge bg-warning text-dark';
          } else {
            severityBadge.className = 'badge bg-info';
          }
          document.getElementById('row-severity').classList.remove('d-none');
          hasData = true;
        }

        if (data.t) {
          const date = new Date(data.t * 1000);
          document.getElementById('ctx-time').textContent = date.toLocaleString();
          document.getElementById('row-time').classList.remove('d-none');
          hasData = true;
        }

        if (data.details) {
          document.getElementById('ctx-details').textContent = data.details;

          
          const labelDetails = document.getElementById('label-details');
          if (data.type === 'object') {
            labelDetails.textContent = 'Object Metadata Details:';
          } else if (data.type === 'report') {
            labelDetails.textContent = 'Report Description:';
          } else {
            labelDetails.textContent = 'Firing Context:';
          }

          document.getElementById('row-details').classList.remove('d-none');
          hasData = true;
        }

        if (hasData) {
          document.getElementById('pslens-context-panel').classList.remove('d-none');
        }
      }
    } catch (e) {
      console.error('Failed to parse operational context metadata:', e);
    }
  })();
</script>


## Unauthenticated Node Service Operations

**Report ID:** `ib-noauth-node-svcops`
**Category:** Integration Broker

## Purpose

This report identifies active nodes with no authentication configured (`AUTHOPTN='N'`) and then determines which fully-active service operations are reachable through those nodes. A service operation is considered fully active only when it meets all three criteria: an active version, an active routing, and an active handler.

Any operation reachable through one of these nodes can be invoked without credentials.

## What It Captures

For each active node with no authentication:

- Node metadata (name, description, user ID)
- All fully-active service operations routed through that node
- The routing that links the operation to the node
- Operation type (REST/HTTP Post, Sync/Async)

## Tables Queried

### PSMSGNODEDEFN — Message Node Definitions

Paginated to discover all nodes. Filtered to active nodes with `AUTHOPTN = 'N'`.

|    Field    |         Description         |         Filter         |
| ----------- | --------------------------- | ---------------------- |
| MSGNODENAME | Node name (primary key)     |                        |
| ACTIVE_NODE | Active status               | Must be `'1'` (active) |
| AUTHOPTN    | Authentication option       | Must be `'N'` (none)   |
| USERID      | PeopleSoft user ID for node |                        |
| DESCR       | Short description           |                        |

### PSOPERATION — Service Operation Definitions

Paginated to discover all operations.

|      Field       |            Description            |
| ---------------- | --------------------------------- |
| IB_OPERATIONNAME | Operation name (primary key)      |
| RTNGTYPE         | Routing type (S=Sync, A=Async)    |
| IB_REST_SERVICE  | REST indicator (0=SOAP, 1/2=REST) |

### PSOPRVERDFN — Operation Version Definitions

|    Field    |      Description      |           Filter           |
| ----------- | --------------------- | -------------------------- |
| ACTIVE_FLAG | Version active status | At least one must be `'A'` |

### PSOPRHDLR — Operation Handlers

|    Field    |      Description      |           Filter           |
| ----------- | --------------------- | -------------------------- |
| ACTIVE_FLAG | Handler active status | At least one must be `'A'` |

### PSIBRTNGDEFN — Integration Broker Routing Definitions

|      Field       |       Description       |              Filter               |
| ---------------- | ----------------------- | --------------------------------- |
| ROUTINGDEFNNAME  | Routing definition name |                                   |
| SENDERNODENAME   | Sender node             | Checked against no-auth node list |
| RECEIVERNODENAME | Receiver node           | Checked against no-auth node list |
| EFF_STATUS       | Effective status        | Must be `'A'` (active)            |

## Data Flow

```text
1. Paginate through all PSMSGNODEDEFN records
   -> Filter to active nodes with AUTHOPTN = 'N'
   -> Build set of no-auth node names
        |
        v
2. Paginate through all PSOPERATION records
   (batches of 300)
        |
        v
3. For each operation, fetch full details
   (versions, handlers, routings)
        |
        v
4. Filter to "fully active" operations:
   - At least one active version
   - At least one active handler
   - At least one active routing
        |
        v
5. Check if any active routing references
   a no-auth node (as sender OR receiver)
        |
        v
6. Generate report grouped by node
```

## Report Output

The generated report contains:

- **Header** with database name and generation timestamp
- **Summary** with counts of no-auth nodes, total operations checked, and matching operations
- **No-Auth Nodes table** listing each unauthenticated node with its user ID and count of reachable operations
- **Per-node sections** with a table of all service operations accessible through that node, including operation type and routing name
- **Recommendations** for remediation

## Interpreting Results

- **Nodes with many accessible operations** are higher risk and should be prioritized for remediation
- **The User ID on each node** indicates what PeopleSoft user context is used for operations through that node. Review its privileges
- **REST operations** are typically more easily exploitable from external systems than HTTP Post (SOAP) operations
- **If no nodes are found** with `AUTHOPTN='N'`, the report exits early with a clean result

## Recommendations

1. Configure authentication (`AUTHOPTN = 'P'` or `'C'`) on all active nodes
2. Set internal and/or external passwords on nodes that require password authentication
3. Review the PeopleSoft user ID associated with each no-auth node for excessive privileges
4. Consider deactivating routings that should not be accessible without authentication

## Related Reports

- [Nodes with No Password](/docs/reports/security/security-nodes-no-password/) — Identifies nodes with missing authentication or passwords
- [IB Node Security Audit](/docs/reports/integration-broker/ib-node-security-audit/) — Audits node user accounts for elevated privileges
- [Active Service Operations Report](/docs/reports/integration-broker/ib-active-any-routes/) — Lists all active service operations with full details