You are viewing limited content. For full access, please sign in.

Question

Question

Which tables handle the groups assignments, and LDAP configuration within the Admin console? As well, what is the table that handles the access rights for the folders within the Laserfiche database?

Laserfiche Version 8
Updated July 24, 2019
asked on February 23, 2015

User is trying to  restore the groups assignments and the LDAP configuration within the Admin console. The user deleted all the information by restoring his entire database. I would like to know which tables handle the group assignment and LDAP configurations so they can have retrieve these tables from the back up he made before he did the restore. 

 

Please let me know if this is possible

0 0

Replies

replied on February 24, 2015 Show version history

Is this for a RIO repository? All templates, fields, entries came back but user security and groups did not?

 

All security settings that you mention above are stored in SQL so it should be possible. If you got documents back but not security I'd like to know more because they are stored in the same database, at least in RIO anyways.

 

For RIO the user information is referenced in a few tables in this repository database and gets a little messy but everything is labeled pretty well.

 

Group assignments/Accounts

Repository named user group membership is stored in [grouplist] and associated by "trustee_id". This is a unique ID for laserfiche based off the SID/User account or Group which leads me to the next table.

 

A trustee's basic information (unique laserfiche ID, SID, name, description, salted password etc) are stored in [trustee].

 

So when you look at [grouplist], you'll see group_id = 1008, and member_id = 7. These are both trustee_id's reference in this table. Both groups and members have a trustee_id and are referenced in the [trustee] table. This will cover group association of named user accounts but not windows accounts.

 

Some other basics:

 

If the repository named user or windows account is trusted and allowed to authenticate by user account instead of group membership they will be listed by SID in [trusted_allow].

 

If the member is within a trusted group, they will be listed by SID in [trusted_group] and the "trustee_id" of that trusted group will be listed as "trustee_id".

 

The same structure goes for those authenticating through ldap in [ldap_allow].

LDAP profiles are stored in [ldap_server_profiles].

 

Last login/logout information is in [user_login].


A trustee's attributes, the settings which dictate a lot of how the client interacts with the account, and are found by double clicking on a user and going to the attributes section, are all stored in [trustee_attr].

 

A trustees privileges, features, audit settings and read only flag is stored in. [account_security].

 

 

Access Rights - Document/Folder level security is in [entryacl] and entered 1 row per SID for each entry which has security applied.

"toc_id" is the entry id of the document.

"mask" is a numeric value for the actual security applied. IE: A value of [1] means the user only has the browser permission. A value of [1048575] means full permissions.

"ace_flags" refers to the scope I believe.

"pos" is the sequence of how they are listed in the access rights console

 

 

Tags are in [tag] and given a tag_id.

Tags associated to a trustee are stored in [trustee_tag].

Tags associated to a document are in [tagacl].

 

Field level security is in [propacl] and referenced by a master field id and the account's SID.

 

Summary

It gets pretty dirty which leads me back to the question of how were you able to get documents back but no security? It makes me believe just one table was corrupted so I'd like to know more about what is missing and what's there.

 

If you have all fields, templates, documents, and that all works fine and dandy but no users are in the admin console listed, I'd look at the [trustee] table. After this, if access rights aren't showing up I'd look at [entryacl].

 

I hope this rambling is of use, good luck!

 

 

0 0
replied on February 24, 2015

One note of quirky behavior in 9.2.

 

In the Admin Console, when viewing the list of Windows Accounts, if you hit refresh, any Linked Trustee will disappear and be set to (None).

 

If you double click on the account which you know is linked to a group or trustee, I believe it will then query the database table [trusted_group] and populate the linked trustees.

 

 

Also of note, business processes, watermarks, volumes, and stamps all have separate tables referencing accounts and there is a default security setting in [defaultacl] table which also references accounts. So my above list is not exhaustive.

 

 

 

0 0
replied on July 24, 2019

Okay, a related question.  Where in the database could I query to find what users/groups have Access Rights to a particular business process (form designer)?

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...