# Dangerous Permissions Audit

LLMS index: [llms.txt](/llms.txt)

---

<div id="pslens-context-panel" class="card border-info mb-4 d-none">
  <div class="card-header bg-light text-info py-2 fw-bold d-flex align-items-center border-bottom border-info-subtle">
    <i class="bi bi-info-circle-fill me-2"></i>
    <span>Tailored Operational Context</span>
  </div>
  <div class="card-body p-0">
    <ul class="list-group list-group-flush">
      <li id="row-db" class="list-group-item d-flex align-items-center justify-content-between py-2 d-none">
        <strong>Target Database:</strong>
        <span id="ctx-db" class="badge bg-secondary font-monospace">&mdash;</span>
      </li>
      <li id="row-type" class="list-group-item d-flex align-items-center justify-content-between py-2 d-none">
        <strong>Context Type:</strong>
        <span id="ctx-type" class="badge bg-light text-dark border font-monospace text-uppercase">&mdash;</span>
      </li>
      <li id="row-severity" class="list-group-item d-flex align-items-center justify-content-between py-2 d-none">
        <strong>Alert Severity:</strong>
        <span id="ctx-severity" class="badge">&mdash;</span>
      </li>
      <li id="row-time" class="list-group-item d-flex align-items-center justify-content-between py-2 d-none">
        <strong>Triggered Time:</strong>
        <span id="ctx-time" class="text-muted small">&mdash;</span>
      </li>
      <li id="row-details" class="list-group-item py-2 d-none">
        <strong id="label-details" class="d-block mb-1">Firing Context:</strong>
        <code id="ctx-details" class="d-block p-2 bg-light border rounded small" style="white-space: pre-wrap; word-break: break-all;">&mdash;</code>
      </li>
    </ul>
  </div>
</div>

<script>
  (function() {
    const params = new URLSearchParams(window.location.search);
    const metadata = params.get('metadata');
    if (!metadata) return;

    try {
      
      const base64 = metadata.replace(/-/g, '+').replace(/_/g, '/');
      const jsonStr = decodeURIComponent(escape(window.atob(base64)));
      const data = JSON.parse(jsonStr);

      if (data) {
        let hasData = false;

        if (data.db) {
          document.getElementById('ctx-db').textContent = data.db;
          document.getElementById('row-db').classList.remove('d-none');
          hasData = true;
        }

        if (data.type) {
          document.getElementById('ctx-type').textContent = data.type;
          document.getElementById('row-type').classList.remove('d-none');
          hasData = true;
        }

        if (data.severity) {
          const severityBadge = document.getElementById('ctx-severity');
          const severity = data.severity.toLowerCase();
          severityBadge.textContent = severity.toUpperCase();
          if (severity === 'critical') {
            severityBadge.className = 'badge bg-danger';
          } else if (severity === 'warning') {
            severityBadge.className = 'badge bg-warning text-dark';
          } else {
            severityBadge.className = 'badge bg-info';
          }
          document.getElementById('row-severity').classList.remove('d-none');
          hasData = true;
        }

        if (data.t) {
          const date = new Date(data.t * 1000);
          document.getElementById('ctx-time').textContent = date.toLocaleString();
          document.getElementById('row-time').classList.remove('d-none');
          hasData = true;
        }

        if (data.details) {
          document.getElementById('ctx-details').textContent = data.details;

          
          const labelDetails = document.getElementById('label-details');
          if (data.type === 'object') {
            labelDetails.textContent = 'Object Metadata Details:';
          } else if (data.type === 'report') {
            labelDetails.textContent = 'Report Description:';
          } else {
            labelDetails.textContent = 'Firing Context:';
          }

          document.getElementById('row-details').classList.remove('d-none');
          hasData = true;
        }

        if (hasData) {
          document.getElementById('pslens-context-panel').classList.remove('d-none');
        }
      }
    } catch (e) {
      console.error('Failed to parse operational context metadata:', e);
    }
  })();
</script>


## Dangerous Permissions Audit Report

**Report ID:** `security-dangerous-permissions`
**Category:** Security

## Purpose

This report identifies permission lists that grant access to dangerous capabilities in PeopleSoft. Each of the eight checks is a known attack path: SOAP-to-CI lets a permission-list holder call any Component Interface without a dedicated service operation, USERPROFILES lets them mint new accounts, IB_NODE lets them point a node at attacker-controlled infrastructure. Each category is assigned a severity level (CRITICAL or HIGH) to help prioritize remediation.

## What It Checks

The report audits 8 categories of dangerous access:

### CRITICAL Severity

|           Category           |                                               Menu/Bar Item                                               |                                               Risk                                               |
| ---------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ |
| SOAP to CI (WEBLIB_SOAPTOCI) | `MENUNAME = 'WEBLIB_SOAPTOCI'`                                                                            | Allows programmatic access to Component Interfaces via SOAP without dedicated service operations |
| User Profile Management      | `MENUNAME = 'MAINTAIN_SECURITY'`, bar items: USERPROFILES, USER_SAVEAS, USERMAINT_DIST (non-display-only) | Ability to create, modify, or delete user profiles — the highest-level security object           |
| Node Configuration           | `MENUNAME = 'IB_CONFIGURE'`, bar item: IB_NODE (non-display-only)                                         | Ability to define or modify Integration Broker nodes, including authentication credentials       |

### HIGH Severity

|             Category             |                                                   Menu/Bar Item                                                   |                                        Risk                                        |
| -------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
| WSDL Generation (WEBLIB_MSGWSDL) | `MENUNAME = 'WEBLIB_MSGWSDL'`                                                                                     | Can expose the structure and endpoints of web services                             |
| Role Management                  | `MENUNAME = 'MAINTAIN_SECURITY'`, bar items: ROLEMAINT, ROLESAVEAS (non-display-only)                             | Ability to create, modify, or delete roles, controlling permission assignments     |
| Permission List Purge            | `MENUNAME = 'MAINTAIN_SECURITY'`, bar items: PURGE_PERMLIST, PURGE_ROLEDEFN, PURGE_USR_PROFILE (non-display-only) | Ability to purge permission lists, roles, or user profiles                         |
| URL Definitions Management       | `MENUNAME = 'MAINTAIN_SECURITY'`, bar item: URL_MAINTENANCE (non-display-only)                                    | Ability to create or modify URL definitions for redirects or external integrations |
| Process Type Definitions         | `MENUNAME = 'PROCESSMONITOR'`, bar item: PRCSTYPE (non-display-only)                                              | Ability to modify process type definitions controlling batch process execution     |

## Table Queried

### PSAUTHITEM — Authorization Items

Queried once per category with the specific WHERE clause for that check.

|    Field    |                        Description                        |
| ----------- | --------------------------------------------------------- |
| CLASSID     | Permission list that has this access                      |
| MENUNAME    | Menu name being authorized                                |
| BARITEMNAME | Menu bar item name                                        |
| DISPLAYONLY | Display-only flag (`0` = full access, `1` = display only) |

### PSROLECLASS — Role/Permission List Assignments

Queried per permission list found, via `GetPermissionListRoles`.

|  Field   |               Description               |
| -------- | --------------------------------------- |
| CLASSID  | Permission list                         |
| ROLENAME | Role that includes this permission list |

### PSOPRALIASTYPE / PSOPRDEFN — User Counts

Queried in batch via `GetUnlockedUserCountForRoles` to count unlocked users per role.

## Data Flow

```text
1. For each of 8 dangerous capability categories:
        |
        v
2. Query PSAUTHITEM with category-specific WHERE clause
   -> Extract unique permission lists (CLASSID)
        |
        v
3. For each permission list found:
   -> Fetch assigned roles via PSROLECLASS
        |
        v
4. Batch query unlocked user counts for all roles
        |
        v
5. Sort findings by total unlocked user count (descending)
        |
        v
6. Generate per-category section with severity badge,
   description, and permission list table
        |
        v
7. Generate summary and recommendations
```

## Parameters

This report has no configurable parameters.

## Report Output

The generated report contains:

- **Header** with database name and generation timestamp
- **Per-category sections** (8 total), each with:
  - Severity badge (CRITICAL or HIGH)
  - Description of the dangerous capability
  - Count of permission lists with this access
  - Table with: Permission List (linked), Roles, Unlocked User count
  - Or "No findings" if no permission lists have this access
- **Summary** with total categories checked and total permission lists found
- **Recommendations** for each category

## Interpreting Results

- **CRITICAL findings should be reviewed immediately.** SOAP-to-CI access, user profile management, and node configuration can all be used for privilege escalation or unauthorized data access.
- **HIGH findings should be scheduled for remediation.** These capabilities are security-sensitive but may have legitimate use cases in limited quantities.
- **Permission lists with no roles assigned** may be orphaned but should still be reviewed — they could be assigned in the future.
- **High unlocked user counts** indicate broad exposure to the dangerous capability and should be prioritized for remediation.
- **Display-only access is excluded.** The report only flags non-display-only (`DISPLAYONLY = 0`) access for menu-based checks, so findings represent actual write/execute capability.

## Recommendations

1. Remove WEBLIB_SOAPTOCI access in production environments unless absolutely required for integration — use dedicated service operations instead
2. Restrict WSDL generation to development environments only; in production, serve static WSDL files
3. Limit user profile management to a small number of designated security administrators
4. Implement change management processes for role and permission list modifications
5. Restrict purge operations to emergency use only and require approval workflows
6. Audit node configuration access regularly, as nodes contain authentication credentials