topic Re: Access denied root user, but from which process? in Management & Governance

Access denied root user, but from which process?

Suzanne_van_der_Tang — Wed, 26 Jan 2022 10:56:35 GMT

Hi all,

I'm fairly new in the administrator role within Qlik, and I was strolling through the log monitor.
In the log, I see a large amount of error message of the following kind:

Access was denied for User: <rootuser>, SessionId: <y>, Hostname: '::1', Requested access types: '', OperationType: 'UsageDenied'

How can I derive from the log which process causes this error? THe message is from the ServiceRepository log, but I would like to know the process which is trying to access using the <rootuser>.

Thanks!

Suzanne

Re: Access denied root user, but from which process?

Mike_Dickson — Wed, 26 Jan 2022 23:39:42 GMT

Hello Suzanne,

Would the "rootuser" happen to be the service account?

Does your service account have a professional / analyzer pass assigned to it?

It is most likely cause by the reload of the monitoring applications within the QMC. If you open the data connections for the monitoring apps (IE: monitor_apps_REST_app) is the UserID the one that is being displayed in the log for UsageDenied?

If it is, than an option might be to setup your monitoring apps to authenticate via Certificate.

https://community.qlik.com/t5/Knowledge/How-to-configure-Certificate-Authentication-for-Qlik-Sense/ta-p/1799913

Re: Access denied root user, but from which process?

Suzanne_van_der_Tang — Fri, 28 Jan 2022 09:18:27 GMT

Hi @Mike_Dickson ,

You're right. It appears to be related to the monitoring apps. This page describes the problem I'm having:
https://community.qlik.com/t5/Knowledge/Qlik-Sense-Enterprise-403-Access-was-denied-errors-in-Service/tac-p/1886093

Your colleague suggested to raise a defect on this, which I did.

A question I have about the solution you suggest: What's the downside of switching the service account to use certificate authentication?

Grt,
Suzanne

Re: Access denied root user, but from which process?

Mike_Dickson — Fri, 28 Jan 2022 21:42:42 GMT

There really isn't a "downside" to switching the REST connections to use Certificate Authentication other than "In multi-node environments where the central node does not perform reloads, the certificate generated will have to be moved to the corresponding folders on the other nodes"

Which is resolved by copying the certificates over to the same location on the RIM node that preforms the reload.

If you do end up using the Certificate Authentication within your environment and it resolves your issue, let us know by clicking the "Accept as Solution"