Dynamic groups. Basics

It seems that “dynamic groups” is yet another white spot in documentation: Fundamentals guides states that dynamic groups can’t belong to non-dynamic, Administration and Configuration guide, in opposite, gives an example of such possibility: dm_browse_all/dm_browse_all_dynamic, dm_superusers/dm_superusers_dynamic (I have no idea why dm_read_all/dm_read_all_dynamic pair is missed in Administration guide). The only true thing about dynamic groups you can read in documentation is: dynamic groups are intended to be enabled/disabled in runtime, which allows user to gain/loose some extra privileges.
Continue reading

CVE-2014-2515 (D2GetAdminTicketMethod). Was it really fixed?

Previous investigations

Continue reading

Tracking changes in TBO

Initially I wanted to write something like “DFC has a cool method ISession#getUncachedObject(IDfId objectId, String currencyCheckValue) that allows to track changes in TBO”, but after investigating how XCP wrongly implements the same functionality in business events, I realized that it’s worth to pay more attention to the problem, because even vendor does not know how DFC does work.
Continue reading