Topic
  • 8 replies
  • Latest Post - ‏2012-12-13T14:05:25Z by SystemAdmin
SystemAdmin
SystemAdmin
7615 Posts

Pinned topic Repository Admin

‏2012-09-25T22:33:51Z |
When you log into the process center, if you are in the tw_admins group, and no one as messed with any settings, you are a repository admin. This means that you get a 4th tab at the top of the page called "Admin" where you can control who can login to the Process Center, and if that person also sees this admin tab (as well as other features). By default tw_admins are in this list and have "Admin" checked as a property. Now if someone went and unchecked this for tw_admins, and didn't add anyone else back in, does anyone have an idea where this gets set in the DB? I have a customer where tw_admins are not seeing this tab and want to confirm no one did anything foolish to the configuration, but looking at my install, where I can see that value, I can't figure out where the value is getting stored.

Any help is appreciated. I don't see any good candidates in lsw_usr_grp_xref table, and I've looked at the names of all the other tables and none seem to be good candidates.

Andrew Paier | Director of Special Operations | BP3 Global, Inc. www.bp-3.com
Updated on 2012-12-13T14:05:25Z at 2012-12-13T14:05:25Z by SystemAdmin
  • vlit
    vlit
    924 Posts

    Re: Repository Admin

    ‏2012-09-26T07:01:51Z  
    Hi Andrew,

    I don't want to make a deep analyze, but for one of my environments the workaround is:

    INSERT INTO DB2INST1.LSW_ACL_ENTRY (ACL_ENTRY_ID, PO_ID, MASK, PO_TYPE, GROUP_ID) VALUES (1404, 'a0c73b26-a6fb-496c-b280-dbd4bf093c4a', 127, 5000, 3);

    where 1404 - last index number in the table + 1
    'a0c73b26-a6fb-496c-b280-dbd4bf093c4a' - guess yourself :) It is different in all servers.
    127 and 5000 - by default
    3 - index of tw_admins group

    Regards!

    Vladlen.
  • SystemAdmin
    SystemAdmin
    7615 Posts

    Re: Repository Admin

    ‏2012-09-26T14:36:59Z  
    • vlit
    • ‏2012-09-26T07:01:51Z
    Hi Andrew,

    I don't want to make a deep analyze, but for one of my environments the workaround is:

    INSERT INTO DB2INST1.LSW_ACL_ENTRY (ACL_ENTRY_ID, PO_ID, MASK, PO_TYPE, GROUP_ID) VALUES (1404, 'a0c73b26-a6fb-496c-b280-dbd4bf093c4a', 127, 5000, 3);

    where 1404 - last index number in the table + 1
    'a0c73b26-a6fb-496c-b280-dbd4bf093c4a' - guess yourself :) It is different in all servers.
    127 and 5000 - by default
    3 - index of tw_admins group

    Regards!

    Vladlen.
    Vladlen -

    YOU ROCK! Thank you. For anyone else struggling with this, here is what I could decode from looking at a "good" enviornment. (Haven't yet checked the customer's environment). Note that this is not documented and could change at any time, so use at your own risk.

    This table seems to have all the rights for the various items in the repository, like process apps and toolkits, but for my specific question.

    PO_TYPE = 5000 is the repository object.
    MASK is the type of access. 127 appears to be full admin, 63 is access without admin. 5 appears to be read only on Process Apps
    PO_ID is the value of "Installation GUID" in the LSW_SYSTEM table.
    GROUP_ID and USER_ID are, hopefully self explanatory. In my data they are mutually exclusive.
    Andrew Paier | Director of Special Operations | BP3 Global, Inc. www.bp-3.com
  • SystemAdmin
    SystemAdmin
    7615 Posts

    Re: Repository Admin

    ‏2012-09-26T15:42:01Z  
    Vladlen -

    YOU ROCK! Thank you. For anyone else struggling with this, here is what I could decode from looking at a "good" enviornment. (Haven't yet checked the customer's environment). Note that this is not documented and could change at any time, so use at your own risk.

    This table seems to have all the rights for the various items in the repository, like process apps and toolkits, but for my specific question.

    PO_TYPE = 5000 is the repository object.
    MASK is the type of access. 127 appears to be full admin, 63 is access without admin. 5 appears to be read only on Process Apps
    PO_ID is the value of "Installation GUID" in the LSW_SYSTEM table.
    GROUP_ID and USER_ID are, hopefully self explanatory. In my data they are mutually exclusive.
    Andrew Paier | Director of Special Operations | BP3 Global, Inc. www.bp-3.com
    Oh, and for the lazy - query to show you the entries you care about in your server

    
    select acl.* from LSW_ACL_ENTRY acl, LSW_SYSTEM sys where sys.key = 
    'InstallationGUID' and sys.value = acl.po_id
    


    Andrew Paier | Director of Special Operations | BP3 Global, Inc. www.bp-3.com
  • SystemAdmin
    SystemAdmin
    7615 Posts

    Re: Repository Admin

    ‏2012-09-26T21:29:01Z  
    Oh, and for the lazy - query to show you the entries you care about in your server

    <pre class="jive-pre"> select acl.* from LSW_ACL_ENTRY acl, LSW_SYSTEM sys where sys.key = 'InstallationGUID' and sys.value = acl.po_id </pre>

    Andrew Paier | Director of Special Operations | BP3 Global, Inc. www.bp-3.com
    Hmmm… Apparently that syntax works on DB2, but "sys" is a reserved word in MS-SQL. Try this

    
    select acl.* from LSW_ACL_ENTRY acl, LSW_SYSTEM lsws where lsws.key = 
    'InstallationGUID' and lsws.value = acl.po_id
    


    Andrew Paier | Director of Special Operations | BP3 Global, Inc. www.bp-3.com
  • SystemAdmin
    SystemAdmin
    7615 Posts

    Re: Repository Admin

    ‏2012-12-07T19:23:25Z  
    Hmmm… Apparently that syntax works on DB2, but "sys" is a reserved word in MS-SQL. Try this

    <pre class="jive-pre"> select acl.* from LSW_ACL_ENTRY acl, LSW_SYSTEM lsws where lsws.key = 'InstallationGUID' and lsws.value = acl.po_id </pre>

    Andrew Paier | Director of Special Operations | BP3 Global, Inc. www.bp-3.com
    Andrew

    Thanks for sharing this information.

    I'm using BPM Advanced 8.0.0, and I noted that the LSW_SYSTEM table names have changed from key and value to propkey and propvalue.

    I created the tables using the scripts generated by BPM's own tool.

    Your tip helped me overcome a problem where bootstrapProcessServerData.sh was failing with: -

    INFO: CWLLG2155I: Cache settings read have been from file file:/opt/IBM/WebSphere80/AppServer/BPM/Lombardi/process-server/twinit/lib/basic_resources.jar!/LombardiTeamWorksCache.xml.
    Exception in thread "P=248348:O=0:CT" com.lombardisoftware.client.security.AuthorizationDeniedException: You are not authorized to make changes to items in this context
    at com.lombardisoftware.client.security.AuthorizationUtils.deny(AuthorizationUtils.java:120)

    Once I inserted the InstallationGUID value into the table, using this SQL: -

    INSERT INTO DB2INST1.LSW_ACL_ENTRY (ACL_ENTRY_ID, PO_ID, MASK, PO_TYPE, GROUP_ID) VALUES (1404, '53c5c0a3-0d2b-4822-b94c-5722a59d5227', 127, 5000, 3);

    all was well.

    Thanks again

    Dave
  • SystemAdmin
    SystemAdmin
    7615 Posts

    Re: Repository Admin

    ‏2012-12-07T20:23:10Z  
    Andrew

    Thanks for sharing this information.

    I'm using BPM Advanced 8.0.0, and I noted that the LSW_SYSTEM table names have changed from key and value to propkey and propvalue.

    I created the tables using the scripts generated by BPM's own tool.

    Your tip helped me overcome a problem where bootstrapProcessServerData.sh was failing with: -

    INFO: CWLLG2155I: Cache settings read have been from file file:/opt/IBM/WebSphere80/AppServer/BPM/Lombardi/process-server/twinit/lib/basic_resources.jar!/LombardiTeamWorksCache.xml.
    Exception in thread "P=248348:O=0:CT" com.lombardisoftware.client.security.AuthorizationDeniedException: You are not authorized to make changes to items in this context
    at com.lombardisoftware.client.security.AuthorizationUtils.deny(AuthorizationUtils.java:120)

    Once I inserted the InstallationGUID value into the table, using this SQL: -

    INSERT INTO DB2INST1.LSW_ACL_ENTRY (ACL_ENTRY_ID, PO_ID, MASK, PO_TYPE, GROUP_ID) VALUES (1404, '53c5c0a3-0d2b-4822-b94c-5722a59d5227', 127, 5000, 3);

    all was well.

    Thanks again

    Dave
    For the record, I've posted a more full account of the issue that I saw on my personal blog: -

    http://portal2portal.blogspot.co.uk/2012/12/comlombardisoftwareclientsecurityauthor.html
  • vlit
    vlit
    924 Posts

    Re: Repository Admin

    ‏2012-12-08T20:11:25Z  
    For the record, I've posted a more full account of the issue that I saw on my personal blog: -

    http://portal2portal.blogspot.co.uk/2012/12/comlombardisoftwareclientsecurityauthor.html
    Dave,

    1404 - it is index of string. It was 1404 in my case. It can be occupied in your table.
    You need to use the last index of the table + 1.

    Vladlen.
  • SystemAdmin
    SystemAdmin
    7615 Posts

    Re: Repository Admin

    ‏2012-12-13T14:05:25Z  
    • vlit
    • ‏2012-12-08T20:11:25Z
    Dave,

    1404 - it is index of string. It was 1404 in my case. It can be occupied in your table.
    You need to use the last index of the table + 1.

    Vladlen.
    Hi Vladlen

    Good point - I did check that 1404 wasn't already taken before I did the insert :-)

    Thanks

    Dave