topic Re: Security role problem in Management & Governance

Security role problem

Jeffrey_Li — Thu, 05 Dec 2019 13:46:38 GMT

Hi, All,

I created the following two security roles.

CustomizedContentadmin
Resources:Stream_*,App*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,User*,CustomProperty*,Tag_*,DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*,FileReference*

CustomizedDeveloper
Resources:App*,ReloadTask_*,SchemaEvent_*,Tag_*,DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*,FileReference*,Scheduler*

Comparing with CustomizedContentadmin, CustomizedDeveloper role has Scheduler* added, and has Stream_*,UserSyncTask_*,User*,CustomProperty* removed. So basically CustomizedContentadmin role has more resources access than CustomizedDeveloper except Scheduler. That means for data connections, when users with these two roles log into hub site, they should be able to see the same data connections listed there. However, when roles are applied, users with CustomizedDeveloper role are able to see all data connections in hub, including those connection created by other users. But Users with CustomizedContentadmin role can only see a few data connections. I cannot find what the cause is, and need second eyes on it. Could you help?

Thanks

Re: Security role problem

andoryuu — Thu, 05 Dec 2019 14:46:03 GMT

Can you please post a screenshot of each of your security roles with all of the configured properties? Just the resource filter is not enough to diagnose this issue.

Re: Security role problem

Jeffrey_Li — Thu, 05 Dec 2019 15:12:58 GMT

Customized_developer role screen shot

Re: Security role problem

Jeffrey_Li — Thu, 05 Dec 2019 15:13:38 GMT

Customized_contentadmin role screen shot

Re: Security role problem

Jeffrey_Li — Thu, 05 Dec 2019 15:14:27 GMT

Thanks for your reply. Screen shots have been uploaded

Re: Security role problem

Jeffrey_Li — Thu, 05 Dec 2019 16:28:51 GMT

One more thing. CustomizedContentAdmin users also have DeploymentAdmin role.

Re: Security role problem

Levi_Turner — Thu, 05 Dec 2019 19:28:17 GMT

Nothing looks obviously amiss there. On off-hours can you cycle services to see if it's some weird caching issue? That shouldn't be needed but I've seen it come up from time to time.

Re: Security role problem

andoryuu — Thu, 05 Dec 2019 19:38:37 GMT

Agreed @Levi_Turner . It's odd.

@Jeffrey_Li when you are in the problematic security rule go into the audit pane on the right and filter on a single user that *should* have these read rights and select "Data Connection" as the resource. Click "Preview" on the security rule to see what comes up. Does the user show up with a blue block for "R" meaning the rule grants them read rights? What about if you click audit? Look for a data connection that they *should* have - what color is the box? Double click the "R" box - which security rules are displayed and can you provide a screenshot?

One thing that I've seen with security rules is that when trying to do certain security functions for hub activities you need to configure it "Only in Hub" even though you aren't trying to restrict it to hub, per se. Try that and see if your test user can now see the data connections.

Re: Security role problem

Jeffrey_Li — Thu, 05 Dec 2019 20:14:40 GMT

Thanks @Levi_Turner @andoryuu for your reply. I will find a time to restart the services and let users try again. Will let you know.

Re: Security role problem

andoryuu — Fri, 06 Dec 2019 13:31:51 GMT

@Jeffrey_Li You can also try my “only in hub” suggestion before having to cycle the services.

Re: Security role problem

Jeffrey_Li — Fri, 06 Dec 2019 18:33:53 GMT

The issue was solved after I restarted services. Thanks for @Levi_Turner @andoryuu.