1 2 Previous Next 15 Replies Latest reply on Aug 6, 2019 4:54 AM by 3591766

    ACL populating automatically in WCC

    3591766

      Hello Experts,

       

      Greetings!!

       

      We are using WCC 11g(11.1.1.9) in our env. with managed attachment enabled for EBS. We are facing an intermittent issue with ACL in WCC. For specific security group, XCLBRAUSERLIST field automatcally getting populated with logged-in user value post check-in and restricting others from accessing that document. There is no specific pattern for the behavior, UAL parameter is getting updated randomly.We tried to reproduce it in lower env's but its working fine there.

       

      Below are the entries in config.cfg for ACL -

       

      UseEntitySecurity=true

      SpecialAuthGroups=FIN,HR,TRL,PRT,PRG,PAY,AFDocuments

      AllowQuerySafeUserColumns=true

       

      We are investigating the same but it'll be helpful if anyone suggests the probable root-cause for this?

       

      Thanks in advance

        • 1. Re: ACL populating automatically in WCC
          Srinath Menon-Oracle
          For specific security group, XCLBRAUSERLIST field automatcally getting populated with logged-in user value post check-in and restricting others from accessing that document.

          Most likely there is a rule that is set to be triggered for the specific security group and that is why the field is getting populated . Check the existing set of rules and review the requirement for it .

          • 2. Re: ACL populating automatically in WCC
            3591766

            Hi Srinath,

             

            Most likely there is a rule that is set to be triggered for the specific security group and that is why the field is getting populated . -->

             

            Where can we check those rules ?? Also If rules are in place for specific security group , lets say 'PRT' then why its not populating UAL for all PRT docs ?

            • 3. Re: ACL populating automatically in WCC
              Srinath Menon-Oracle
              Where can we check those rules ?? Also If rules are in place for specific security group , lets say 'PRT' then why its not populating UAL for all PRT docs ?

              Navigate to Administration - Admin Applets - Configuration Manager - Rules .

               

              The condition might be triggered for specific combination, it will be clear when you review the rule and see the logic .

              • 4. Re: ACL populating automatically in WCC
                3591766

                Hi Srinath,

                 

                Validated all the Rules, there is no logic or any condition on triggering UAL field (XCLBRAUSERLIST ) for any security groups.

                • 5. Re: ACL populating automatically in WCC
                  Srinath Menon-Oracle
                  For specific security group, XCLBRAUSERLIST field automatcally getting populated with logged-in user value post check-in and restricting others from accessing that document.

                  It can be done either using rule or by any custom post checkin filter. Enable system, requestaudit,idoc*,doc*,filter* + Full verbose and run the same test again , view the details in Server output section to see if any such condition is being invoked.

                  • 6. Re: ACL populating automatically in WCC
                    William Phelps

                    Just to note - if the desire is to have no ACL on the document, why assign a security group that has ACLs to the document?  This is just another reason why ACLs in Content Server are in general a bad idea.

                     

                    Also check Archiver for any automated import jobs that might be mapping this value.

                     

                    If SimpleProfiles are enabled, it's also quite possible that a user has created his/her own personal checkin profiles that will not appear in the admin applets.

                    • 7. Re: ACL populating automatically in WCC
                      3591766

                      Thanks William for reply.

                       

                      Well , desire is definitely to have ACL enabled for document with specific security group but not accidentally. User should share document with others with desired permissions he/she expected. Here in this case, ACL is getting populated automatically and when another user from same group & account trying to view it, he is not able to do that as ACL is enabled on it and its taking higher security preference over groups n accounts.

                      Now we monitored servers logs, custom components & jobs by enabling verbose trace but nothing concrete to find the root cause.

                      Disabling ACL for that specific security group is a work around but that restricts the use of native functionality.

                      • 8. Re: ACL populating automatically in WCC
                        Srinath Menon-Oracle

                        Now we monitored servers logs, custom components & jobs by enabling verbose trace but nothing concrete to find the root cause.

                        Disabling ACL for that specific security group is a work around but that restricts the use of native functionality.

                        I don't know of any mechanism other than a rule / filter that would be doing this . Do you have custom components enabled ?

                        • 9. Re: ACL populating automatically in WCC
                          3591766

                          Yes Srinath, we have few custom components at WCC end that triggers post check-in to align the data received from EBS . We are further investigating in that direction only but are pretty sure no profile or rules triggering UAL fields. I earlier suspected that any missing configuration of ACL is leading to populate UAL automatically & intermittently but thats not the case. It might be from some filter or job or custom component that we have in our system. Looking into it. Pls keep shooting your suggestions, that helps

                           

                          Thanks

                          • 10. Re: ACL populating automatically in WCC
                            Piyal

                            Hi,

                             

                            May be I am asking a very stupid question, are you uploading content to any specific folder where you are facing this issue. Because this might be the case that you have added the user name in UAL of that folder and while uploading content in that folder UAL is automatically getting populated to that content.

                             

                            Thanks.

                            • 11. Re: ACL populating automatically in WCC
                              3591766

                              Hello Piyal,

                               

                              Thanks for update, not a stupid question at all. It is very much a valid one. But in our case we don't have any specific folder where UAL is populating. We found a root cause which is a custom component in WCC that gets trigger post check-in and it was setting UAL for specific security group conditionally.

                               

                              Hi All,

                               

                              How can we remove ACL for specific security group in UCM ? We tried removing that security group from SpecialAuthGroups  variable in config.cfg but post restart it still shows UAL field visible on information page. Anything missing here ?

                               

                              Thanks

                              • 12. Re: ACL populating automatically in WCC
                                William Phelps

                                I don't think so.  If a field has a value, typically it will be shown on the info page, so this is basically a cosmetic.

                                 

                                The more important point should be if the access is now correct. Can the users now access as expected?

                                • 13. Re: ACL populating automatically in WCC
                                  3591766

                                  Hello William,

                                   

                                  Please see the response below -

                                   

                                  I don't think so.  If a field has a value, typically it will be shown on the info page, so this is basically a cosmetic --> Field doesn't have a value but still it is visible (blank User List field) on info page irrespective ACL is disabled for that security group in config.cfg.

                                   

                                  Can the users now access as expected? --> Yes, access is corrected now. Automatic population of UAL field has been corrected in custom component so now no UAL value is getting sent and security is getting driven by account & security group combinations as expected.But User List field is still visible on UI.

                                   

                                  What we want is xClbraUserList & xClbraAliasList  fields should be disabled on Check-in,Search,Update & Info pages in UCM for that specific security group not others.We removed the security group from SpecialAuthGroups variable in config file & restarted UCM expecting these two fields wont popout but that's not the case. How to disable above two fields for one security group during check-in/Update/Search out of 5 and keep it enabled for others.

                                   

                                  Thanks

                                   

                                   

                                  • 14. Re: ACL populating automatically in WCC
                                    William Phelps

                                    If the security group is known/pre-populated when the user accesses the page, a profile rule can be used to hide the fields.  The user can still complete the field... it's just useless for them to complete it, since the value won't be used. 

                                     

                                    If you want to remove any value the user adds, again, a profile rule can be written to clear the value post-checkin.

                                    1 2 Previous Next