Article - CS236520
Explicitly Denying ThingWorx Users Permission to Run ChangePassword Service On Themselves Does Not Stop Them From Changing Their Passwords Via REST API
Modified: 11-May-2016
Applies To
- ThingWorx Platform 6.5
- Issue found in 6.5 and 7.1
Description
- Users have default visibility over themselves and can change their own passwords in ThingWorx Composer regardless of what permissions are set
- Specifically disallowing access to ChangePassword service under Runtime Permissions on User does not prevent password reset via REST API
This is a printer-friendly version of Article 236520 and may be out of date. For the latest version click CS236520