Approvals using the Outlook Client Technology

One of the conversations I had during my week in Berlin was with Dimitry Kaganski a Sr. Architect here at Quest. He had been asked by a customer, why we were not using Microsoft Outlook Client built-in work-flow to allow Outlook users to click a button to approve or reject work-flow requests in ActiveRoles Server. (The current version of ActiveRoles Server requires a user to be authenticated and we use those details to determine what approval tasks should be displayed.) I also mentioned that I have had other customers ask about this as a possible future feature. Dimitry’s next comment, knocked me flat on my heals.

Dimitry asked me how if we did provide approve/reject in Outlook workflow how would we prevent mailbox delegates clicking approve or reject before the mailbox owner saw the request – I had absolutely no answer. Because the activities of a delegate are not tracked, there is really no way to know what a delegated user is doing in the mailbox and so you would not know either what messages have been read or what approvals would have been processed. My fears about approving/rejecting requests had always been more around Spoofing, this conversation gives me even more concerns. Unless our brilliant developers could find some way around the way Outlook/Exchange work – I doubt this feature would ever make it through a compliance audit.

Bob posted at 2009-9-17 Category: Active Directory, Identity | Tags: , , , , , ,

4 Responses Leave a comment

  1. #1Alexi Vereschaga @ 2009-10-1 12:12

    Wait a sec, when you click that button you POST data to ARS web interface (iis with windows auth) and then it is passed to ARS. ARS web server should authenticate you and if you have rights to see someone else’s mailbox it doesn’t mean that ARS web server will authenticate you as that user. Unless I am missing something it should not be a problem, you should just get access denied by the ARS engine – either by IIS or the actual ARS.

  2. #2Bob Bobel @ 2009-10-1 13:44

    That is true for ActiveRoles, but there are other vendors who use the forms inside Outlook – this is where they run into the problem.

  3. #3Dmitry K @ 2009-11-24 16:14

    That name is Dmitry Kagansky. Glad Bob knows how to check the GAL to get the right spelling. And, yes, most workflow systems that use email (not just outlook forms) are susceptible to being subverted in this fashion. ARS does, but there are still a lot of vendors that don`t require authentication (or re-authentication) at key steps within a workflow.

  4. #4Bob Bobel @ 2009-11-25 12:25

    I used the americanized russian spelling. ;)

Leave a Reply

(Ctrl + Enter)