IBM Support

JR55841: DELETING A USER FROM THE USER REGISTRY LEADS TO SUBSEQUENT EXCEPTIONS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When you delete a user or group from the user registry that IBM
    Business Process Manager (BPM) uses, subsequent operations might
    fail if the operation includes access to a user or group that
    was deleted. For example, if in these scenarios
    
    - You reassign a task to a group that contains the deleted user
     or group
    
    - A process instance goes to a task assigned to a team that
     contains the deleted user or group
    
    - You start an instance of a case type by using Basic Case
     Management to store the case folder with an owner team that
     contains the deleted user or group
    
    you see exceptions similar to this one in the SystemOut.log file
    of the server:
    
    [5/10/16 13:05:49:501 CEST] 0000034f Engine        E
    CWLLG0181E: The following error occurred in the 1,023 task:
    Error updating authorization. Details: CWTDS0000E: An unexpected
    failure occurred. Details: 'FNRCE0051: E_OBJECT_NOT_FOUND: The
    requested item was not found. propertyName=Permissions,
    referenced principal=uid=deletedUser,o=defaultWIMFileBasedRealm
    in Domain {00000000-0000-0000-0000-000000000000}'
    Explanation: An exception was thrown.
    Action: Check the server log files.
    
    com.lombardisoftware.core.TeamWorksException: Error updating
    authorization. Details: CWTDS0000E: An unexpected failure
    occurred. Details: 'FNRCE0051: E_OBJECT_NOT_FOUND: The requested
    item was not found. propertyName=Permissions, referenced
    principal=uid=deletedUser,o=defaultWIMFileBasedRealm in Domain
    {00000000-0000-0000-0000-000000000000}'
    Explanation: An exception was thrown.
    Action: Check the server log files.
     at com.ibm.bpm.embeddedecm.authorization.AuthorizationHelper.
      performUpdates(AuthorizationHelper.java:353)
     at com.ibm.bpm.embeddedecm.authorization.AuthorizationHelper.
      access$000(AuthorizationHelper.java:43)
     at com.ibm.bpm.embeddedecm.authorization.AuthorizationHelper$1.
      beforePrepare(AuthorizationHelper.java:121)
     at com.lombardisoftware.utility.spring.
      ProgrammaticTransactionSupport.executeCallbacks
      (ProgrammaticTransactionSupport.java:1028)
    

Local fix

  • You can prevent the error by making sure that users are not
    members of IBM BPM teams and internal groups when they are
    deleted. Before deleting the user, invoke the following REST
    API:
    
    GET /rest/bpm/wle/v1/user?userName=%USERNAME%
      &includeInternalMemberships=true
      &refreshUser=false&parts=memberships
    
    Invoking this API shows you the current membership of the user.
    You can then remove the user from groups by using the following
    REST API:
    
    PUT /rest/bpm/wle/v1/group/%GROUPNAME%
      ?action=removeMember&user=%USERNAME%&parts=none
    
    You can find the two REST APIs in the Organization API group in
    the REST API Tester. When the user is no longer a member of any
    team or internal group, it can be deleted.
    
    If a user is deleted and was not removed from groups before and
    the issue appears, then a restart of the cluster member resolves
    the issue as it causes the in-memory cache to be cleared. To
    prevent downtime the cluster members can be restarted
    individually.
    

Problem summary

  • IBM BPM stores information about users and groups in its
    database that might include users and groups that are already
    deleted in the underlying user registry. When you have the Basic
    Case Management feature installed or use an external FileNet
    Content Manager as the repository for the IBM BPM document
    store, fine-grained permissions are applied to the process
    attachments and case folders to represent the permissions to
    view the related process instance based on the task assignments
    and instance ownership. At this point, IBM BPM filters out
    non-existing users and groups. Because these checks are
    expensive, an in-memory cache is used. If this cache still knows
    a user or group that was already deleted, the following
    operation to apply permissions for it on the document or case
    folder fails.
    

Problem conclusion

  • A fix will be included in IBM BPM V8.5.7 CF2016.06. The fix
    removes outdated entries from the cache and retries the
    operation automatically.
    
    To determine whether the cumulative fix is available and
    download it if it is, complete the following steps on Fix
    Central:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select Text, enter ?cumulative fix?, and click Continue.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR55841

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    856

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-05-02

  • Closed date

    2016-05-25

  • Last modified date

    2016-05-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R857 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"856","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
25 May 2016