Hide user account information when profile is private
464
0
12-19-2023 10:34 AM
by
Our security auditors noticed that in ArcGIS Portal, you can directly browse to a user's profile page and obtain some information, even when the profile is set to be private. Here's an example:
Pick any user in your ArcGIS Enterprise and navigate to
https://my-esri-portal.com/portal/sharing/rest/community/users/user.name
You can see some information about the user:
Even when the user profile is switched to be private, some fields such as User Id, Member Since, and Last Login are always displayed.
Note that you cannot publicly access the list of users, but if you know a user name or can guess a the portal's admin user name you would be able to access restricted info.