RPC user able to start a flow they don't have permissions to

Description

From external contributors:
https://github.com/corda/corda/issues/5861

Corda Open Source 4.3

I connect to my node using the standalone shell:

The config file looks like this:

My RPC user, which I used to log in the standalone shell, doesn't have the permission to run CreateEvolvableShokenType flow:

Running flow list, shows that flow:

And the user is able to start the flow:

Assignee

Unassigned

Reporter

David Rapacchiale

Labels

Priority

High

Fix versions

Ported to...

None

Feature Team

Kernel Group

CVSS Vector

None

Engineering Teams

None

Severity

Medium
Configure