Making a copy of dashboard gives permission to vie...

jeka · 09-04-2024 03:42 AM

A very important bug that affects the security policy and usability of looker studio! Please help us protect ourselves, maybe we don't see something. Thanks in advance.

There are 3 main roles in looker studio: owner, editor and user with viewing rights. Even having viewing rights, you can make a copy of dashboard, because by default the access settings do not prohibit this. And in this copy of yours you become the owner, i.e. you have all the rights. And then in the "resource - added data sources" tab you can create copies of existing sources and change the sql-request to any, and you don't even need a password, and the IP and user's login are saved, and it all works. I checked it on my second email, not related to the company.

It turns out that any third party to whom we gave access to view dashboards could view our database with simple actions. You can protect yourself from this by enabling the setting "prohibit viewers from downloading, printing and copying", but this greatly spoils the work of our colleagues, who for convenience and further actions wanted to download tables from the lookers dashboard for themselves, but after the setting they will not be able to

jeka

@marcwo, can you help me, please? Is it possible to allow exporting data from diagrams and prohibit coping of the dashboards? Or can you hand over my question to another staff person?

lauratilton

You state: "in the "resource - added data sources" tab you can create copies of existing sources and change the sql-request to any, and you don't even need a password, and the IP and user's login are saved, and it all works."

What is your data source in this scenario? How is the data source shared (owner's credentials or viewer's credentials.) I definitely am not able to access data sources when making a copy of a shared report from an unrelated account (Sheets or BQ data source).

jeka

Thank you for your reply, I use a data source - connection to Postgresql (in screenshot 1 below). I understand your confusion, I did not expect such a scenario. But just try to follow all the steps I described in sequence. I will duplicate them here just in case.
I made some dashboard from one account. I distributed only viewing rights to another email, that hasn't to do with first one (in screenshot 2 below). I did not have the export and copying ban active (in screenshot 3 below) in the settings. From this second email, having only viewing access, I made a copy of the current dashboard (in screenshot 4 below). In the created copy, that same second email began to have the owner's access rights, i.e. now you can work with data sources. It is logical that you cannot change other people's sources, but in fact, you can bypass this ban: just make a copy of an existing source (in my case, a connection to Postgresql), as in screenshot 5. Then everything except the password is saved in the credits in the copy of the source. I thought that I wouldn't be able to work with this source without a password, but it worked. It worked and I was able to build a table. Moreover, I wrote another SQL query for this source and was also able to connect and build another table without a password. Sounds amazing, right? Try it yourself.
The solution to the problem was to prohibit export and copying (screenshot 3) for the "viewer" access rights. But then all those people for whom I built these dashboards cannot upload tables to gsheets, for example, because they also have the same access rights. I want to understand whether I have found a very dangerous bug in the work that could be the cause of data theft. And how can I resolve the situation when I want to provide the ability to export data for the "viewer" role, but I do not want to provide the ability to copy the entire dashboard in order to protect myself from access to my database.

Making a copy of dashboard gives permission to view the database