Troubleshooting
Problem
Getting intermittent error, The requester has insufficient access rights, while adding document to FileNet Content Engine via FileNet web services application with Domain Local group users.
Symptom
The below error is seen in the P8_server_error.log:
YYYY-01-08T15:37:49.902 35FF9351 ENG FNRCE0001E - ERROR method name: checkCreateInstancePermission principal name: username Global Transaction: true User Transaction: false Exception Info: The requester has insufficient access rights to perform the requested operation. Not granted CREATE INSTANCE permission.
com.filenet.api.exception.EngineRuntimeException: FNRCE0001E: E_ACCESS_DENIED: The requester has insufficient access rights to perform the requested operation. Not granted CREATE INSTANCE permission. failedBatchItem=0 at com.filenet.engine.persist.IndependentPersister.checkCreateInstancePermission(IndependentPersister.java:2055)
Environment
Microsoft Active Directory
Diagnosing The Problem
Enable CE security trace to show if the Domain Local group's User Access Token (UAT) is missing when error occurred. Below is a sample of the securitytracedetail for the secured object to examine:
<securitytracedetail>
<securityrefs sdidentity="0xFCF505DC"
principalname="username"/>
<securedobject id="{F5E83019-2665-4B0B-A6D4-A99AB2251040}"
classid="{C57469A4-1592-4428-B7EE-0C970E4DB76A}"
classname="DocumentClassDefinition"
objectstoreid="{52F570B5-33FA-462F-8C86-C9070670CC45}"/>
<accessallowed value="0">
<accessmaskdescription> NONE </accessmaskdescription>
</accessallowed>
<accesstoken principalname="username" size="10">
<principal name="username@servername.net"
sid="S-1-5-21-725345543-926492609-682003330-10069"/>
<principal name="username1@servername.ne"
sid="S-1-5-21-448539723-1767777339-1801674531-583568"/>
<principal name="username2@servername.ne"
sid="S-1-5-21-725345543-926492609-682003330-12653"/>
<principal name="Domain Users@servername.net"
sid="S-1-5-21-725345543-926492609-682003330-513"/>
<principal name="username3@servername.net"
sid="S-1-5-21-448539723-1767777339-1801674531-555400"/>
<principal name="Service Accounts@servername.net"
sid="S-1-5-21-448539723-1767777339-1801674531-296809"/>
<principal name="#AUTHENTICATED-USERS" sid="S-1-5-11"/>
</accesstoken>
<securitydescriptor sdidentity="0xFCF505DC">
<effectiveaccess value="0">
<accessmaskdescription> NONE </accessmaskdescription>
</effectiveaccess>
<owner principal="username@servername.net"
sid="S-1-5-21-448539723-1767777339-1801674531-1263883"/>
<accesscontrolentries size="7">
<accesscontrolentry ispresentintoken="false"
........
</securitytracedetail>
Here is how the Content Engine would typically search users or groups in a given realm connect to the domain specified by the realm name:
- Search for the users or groups by the search criteria.
- For each user or group, if group membership is asked for, FileNet P8 searches for it in the local domain first, then searches for it again in the Global Catalog. In the end, FileNet P8 combines the results.
Resolving The Problem
Group membership in the same domain is two-way, regardless the group scope. If the cross-domain group membership does not involve a Domain Local Group, it is two-way in the Global Catalog.
Configure a Universal Group as a member of the Domain Local Group per the IBM Knowledge Center for the FileNet P8 Platform 5.x instruction to resolve the issue.
http://www-01.ibm.com/support/knowledgecenter/SSNW2F_5.2.0/com.ibm.p8.security.doc/p8psd004.htm
Related Information
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21698672