6 Replies Latest reply on Oct 16, 2012 11:52 AM by Jerry VanScoter

    Making Ariba easier to use (part one of a long series)

    Andrew Gill Master

      I've spent twenty minutes by phone this morning with a frustrated user; eighteen minutes of the call were mostly likely their frustration at the sign on process to Ariba Sourcing.

       

      User names are case sensitive on both buyer and supplier side i.e. agill logs in me, but AGILL doesn't, and if I request a password reset for an invalid user name or email address, Ariba still tells me the password reset is en route.  If you'd like to test it, request a password for blah@blah.com

       

      I've logged a Service Request for this, and wait to hear that Ariba is performing as designed / expected, but nowhere does 'logically' fall in the response.

       

      Does anyone understand the rationale in having user names case sensitive, and can anyone make suggestions why the self-service resets don't check for a valid value (i.e. user name doesn't exist) as part of the process?

       

      best

       

      andrew

      -

      Andrew Gill | Global eSourcing Manager | Reed Elsevier

       

      andrew.gill@reedelsevier.com

       

      screen shot after password reset for blah@blah.com (https://dl.dropbox.com/u/39244584/eSourcing/password.jpg_

        • Re: Making Ariba easier to use (part one of a long series)
          Jason Brown Master

          Andrew:

           

          Usernames are case sensitive because of backwards compatibility. Our original application had case-sensitive usernames. We did an analysis to see if we could go to case-insensitive usernames and there were many, many users that would have duplicate user names. We are still evaluating ways to alleviate this issue and go to case-insensitivity, but until that time we will remain case-sensitive.

           

          The reason why the email response goes through on an invalid user is so that a hacker cannot guess at valid user names. If we were to give back an error message on an invalid user name, then a hacker could continue to try until they get a "hit" of email sent and then proceed from there.

           

          Regards,

          Jason Brown

          Dir. Solutions Management - On-Demand Platform

            • Re: Making Ariba easier to use (part one of a long series)
              Andrew Gill Master

              Hi

               

              Thanks for the reply.

               

              Point one sounds almost crazy that users could be created this way, but every customer is different. 

               

              Point two sounds sounds like it needs a review, since many other eCommerce services allow this, but if a 'hacker' knows a username, what can they do with it?  Unless they also have access to the users email, they can't reset a password and then spoof the system. 

               

              Both of these are problems, and I'd be happy to work with Ariba on fixing them, rather than just admitting they exist.  It really is a hard sell to tell users that usernames are case sensitive, and if you can't remember your username, you're stuck

               

              best

               

              andrew

            • Re: Making Ariba easier to use (part one of a long series)
              Jerry VanScoter Expert

              As an administrator I occasionally get calls from users that forgot their user names.  I just go into the system and look up their name.  I can then send them a password reset email that provides them with all the information they need to log in and create a new password.  If they know their password but just need their user id I can provide that to them as well.  However, if they just click on Forgot user name and enter their email address they can receive it just as easily.  Unless they forget their email address they should never be stuck.

               

              As for point two, it may be a little tough on people that can't type their email address correctly into the system but I can tell you from experience that many customers out there are very sensitive to security issues and would not be open to allowing lax security in Ariba.  For some clients, the security Ariba provides is one of the reasons they selected Ariba as opposed to some of the other "eCommerce services".  I have been through some very strenuous security surveys from the customers we service and trust me, these things do matter.

                • Re: Making Ariba easier to use (part one of a long series)
                  Andrew Gill Master

                  Hi Jerry

                   

                  Thanks for the reply, and comments. 

                   

                  You're right, security is very important, however you'll agree that there needs to be a careful balance between security and user adoption.

                   

                  This has become more of a problem for us since the upgrade to 12s1 where users have been able to select new userids and administrators such as you and I can no longer request a password reset after a user migrates to the Ariba Commerce Cloud.

                   

                  best

                   

                  andrew

                    • Re: Making Ariba easier to use (part one of a long series)
                      David Morel Master

                      Andrew...you are right it is a tough balance, but an important one. You will be happy to hear that we have listen to you and other customers and are currently working on a solution to help the situation. We will be allowing buyers to initiate such help for their suppliers in an upcoming service pack. Once the solution gets final, I will post what we have planned to this thread.  Sound good?

                      • Re: Making Ariba easier to use (part one of a long series)
                        Jerry VanScoter Expert

                        Yes.  I understand the issue with the supplier users.  I'm not too familiar with that process.  My issues are normally with company users that I have permissions set up  to administrate.  I can also see where allowing them to create their own user id's can result in multiple versions of the same name.  For our internal users I set up all user id's with no caps which makes things much easier to administrate.