8 Replies Latest reply: Nov 15, 2010 8:14 AM by kentucm - oracle RSS

    Issue with Users trying to contribute a file to content server

    Anand B.-Oracle

      I have an instance of UCM 10g installed and off later suddenly some users have started getting the message "Unable to build check in form. User '<username>' does not have sufficient privileges." when they try to checkin a file.

      I checked the user admin to see these users previliges and they seem fine. I mean they have RW previliges on the group.

      When the user logs into the system they cannot see the "New Checkin" option which is also strange.

      Here is what got recorded in the content server log file..

      Event generated by user '<username>' at host 'orclinsight.oraclecorp.com'. Content item <undefined> was not successfully checked in. User '<username>' does not have sufficient privileges. [ Details ]

      An error has occurred. The stack trace below shows more information.

      intradoc.common.ServiceException: !csUnableToCheckIn,!csUserInsufficientAccess,bhavna.kalra@oracle.com
           at intradoc.server.ServiceRequestImplementor.buildServiceException(ServiceRequestImplementor.java:1739)
           at intradoc.server.Service.buildServiceException(Service.java:1999)
           at intradoc.server.Service.createServiceExceptionEx(Service.java:1993)
           at intradoc.server.ServiceSecurityImplementor.validateSecurityPrivilegeLevel(ServiceSecurityImplementor.java:956)
           at intradoc.server.DocumentAccessSecurity.checkSecurity(DocumentAccessSecurity.java:114)
           at intradoc.server.DocumentAccessSecurity.checkSecurity(DocumentAccessSecurity.java:67)
           at intradoc.server.ServiceSecurityImplementor.checkSecurity(ServiceSecurityImplementor.java:320)
           at intradoc.server.Service.checkSecurity(Service.java:2546)
           at intradoc.server.Service.checkSecurity(Service.java:2524)
           at sun.reflect.GeneratedMethodAccessor23.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at intradoc.common.IdcMethodHolder.invokeMethod(ClassHelperUtils.java:461)
           at intradoc.common.ClassHelperUtils.executeMethodEx(ClassHelperUtils.java:128)
           at intradoc.common.ClassHelperUtils.executeMethod(ClassHelperUtils.java:113)
           at intradoc.server.Service.doCodeEx(Service.java:505)
           at collections.CollectionUserHandler.checkSecurity(CollectionUserHandler.java:1058)
           at sun.reflect.GeneratedMethodAccessor12.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at intradoc.common.IdcMethodHolder.invokeMethod(ClassHelperUtils.java:461)
           at intradoc.common.ClassHelperUtils.executeMethodReportStatus(ClassHelperUtils.java:142)
           at intradoc.server.ServiceHandler.executeAction(ServiceHandler.java:75)
           at intradoc.server.Service.doCodeEx(Service.java:488)
           at intradoc.server.Service.doCode(Service.java:470)
           at intradoc.server.ServiceRequestImplementor.doAction(ServiceRequestImplementor.java:1350)
           at intradoc.server.Service.doAction(Service.java:450)
           at intradoc.server.ServiceRequestImplementor.doActions(ServiceRequestImplementor.java:1191)
           at intradoc.server.Service.doActions(Service.java:445)
           at intradoc.server.ServiceRequestImplementor.executeActions(ServiceRequestImplementor.java:1111)
           at intradoc.server.Service.executeActions(Service.java:431)
           at intradoc.server.ServiceRequestImplementor.doRequest(ServiceRequestImplementor.java:632)
           at intradoc.server.Service.doRequest(Service.java:1709)
           at intradoc.server.ServiceManager.processCommand(ServiceManager.java:357)
           at intradoc.server.IdcServerThread.run(IdcServerThread.java:195)

      Any help will be much appreciated.

        • 1. Re: Issue with Users trying to contribute a file to content server
          Hi Anand

          We need a little more information to help

          1)Is this 10g or 11g UCM
          2)Are the users local or external and what are you authenticating against
          3)If you look at the users profile page can you see that they have 'roles'
          4)Have you made any change recently? To providers, roles, accounts etc.

          • 2. Re: Issue with Users trying to contribute a file to content server
            Anand B.-Oracle
            Hi Tim,

            This is a 10 g instance of UCM running on top of 11g DB R1

            We are authenticating against Oracle Single Signon and the users are local

            I checked all the users profiles and they have the required roles (if you meant can I see the roles tab then yes I can see the roles tab)

            Did not make a single change recently

            • 3. Re: Issue with Users trying to contribute a file to content server
              So if you login as a user and then go to this page


              Do you see their roles listed?

              I am not sure what you mean when you talk about the roles tab...

              • 4. Re: Issue with Users trying to contribute a file to content server
                kentucm - oracle
                The statement that you are using single sign on and the users are local is normally contradictory. External security applications like Oracle SSO would create external users in the CS. You could also create local users in 10g with those external users so that could be what you mean. Are the users who are having problems External ones? That would be my expectation.

                Tim's suggestion to look at the User profile page to look at the access level they have when logged in is a good one. If it shows that the user does not have the access level you expect them to then something in the external security application is stopping you. Also consider Accounts if they are turned on as they are restrictive.

                You can also use System Audit Information page tracing. Set it to verbose and tracing to system,user* then try to do a checkin of a document revision that he should be able to but that fails. The tracing should tell you more.
                • 5. Re: Issue with Users trying to contribute a file to content server
                  I suspect you are giving roles to the local users that you have created with the same name as the external users that you are logging in as.

                  As KJR (Kent?) says local users are local external are external! In an external user scenario on 10g I would expect that an LDAP provider would need to be created and configured to pull user group memberships and map this to LDAP roles

                  However I have seen mixed mode setups where people have manually hacked UCM to provide local roles (from the UserSecurityAttributes table) for external users. I am pretty sure that this is NOT a supported configuration.

                  • 6. Re: Issue with Users trying to contribute a file to content server
                    Anand B.-Oracle
                    Hi KJR,

                    You are correct, these users are created by Oralce SSO as external users and then I run a SQL query on the base table to convert them into Local / Global users. Once converted to Global / Local users, I can then assign permissions to them based on the role types available.

                    to assign permissions also I make entries in the usersecurityattributes table in the schema.

                    I may be wrong here, but do we necessarily need to create a user from the front end or can we create a user from the table level as well?

                    I create a user at the table level in users table in UCM Schema and then assign permissions by making entries in the usersecurityattributes table.

                    Tim Snell, you are correct I wait for the users to log into the UCM instance once and then convert the same users based on some code into the respective Global / local users and assign them different role types
                    • 7. Re: Issue with Users trying to contribute a file to content server
                      Anand it sounds like you are elbow deep in making internal changes and are not sure what the consequences are of these actions.

                      If you really understand how the DB schema / file system and Services work together then you can get away with making these changes. However from a support point of view you are in difficulty. I would always recommend that you do everything via the UCM services unless there is an exceptionally good reason not to.

                      The wisest answer to give to the question "can I add users directly to the DB?" is not a definitive yes or no but a reminder that whatever the behaviour now it may change and break later. The service layer allows you the user to be distanced from the actual implementation.

                      Anyhow back to the issue in hand. You did not say whether the users have their roles (I now suspect they do not). I suggest you check the Usersecurityattributes table and use the tracing as suggested by KJR
                      • 8. Re: Issue with Users trying to contribute a file to content server
                        kentucm - oracle
                        Yes Tim is correct. Support would say that any direct changes to the DB layer without the CS services layer doing it would not be supported. Only in rare cases where development tells support to do otherwise are direct DB level edits supported.

                        So approaching the external users getting the correct security as a problem; support would probably suggest something like use the proxycredentialsmap component to map your security from the SSO application to the proper roles in the CS instead of using scripts to create local users and map them manually. Or create the users one time at beginning of the project (using your db level edits to create users and give them roles etc) and test to see if it works and do no integration with a SSO application that can change your users and mess up your plans later.

                        I would guess that a one time creation of users via script in the CS would be no real problem to support but anything dynamic and coded that would have to be debugged would be a problem. Custom code (even simple custom code in a workflow or profile) is not directly supported. Too big of a pandora's box being opened.