You are viewing limited content. For full access, please sign in.

Question

Question

If a user gets "Access Denied" Registering a new QF instance with DS - How do we give them access to do this?

Directory Server
Updated June 18, 2021
asked on June 16, 2021 Show version history

I can not find anything in the documentation or any natural area within the DS product to set who has access and who doesn't.

The only button that exists in this area is + Applications, nothing could even lead to a list of Windows Accounts that have access.

0 0

Answer

SELECTED ANSWER
replied on June 18, 2021

Just to clarify Chad, every box is checked for both site-wide security (Settings > Security) as well as organization-level security (Accounts > Organizations > MyOrg > Security)?

1 0

Replies

replied on June 16, 2021

In LFDS - under Settings > Security > Rights Assignment; I had to enable View Site & Download Application Licenses for the group that would be installing.

2 0
View 8 previous replies
replied on June 17, 2021

This is almost certainly it. When a user running a Laserfiche application installer attempts to register that application through LFDS, the wizard makes a Download Application License call to LFDS under their identity. Thus, the user must have the Download Application Licenses LFDS permission or they'll receive an "Access Denied" error like you see here.

1 0
replied on June 17, 2021

I am in there now and I see the user has already been granted rights to do everything including download application licenses. This would make sense as they have installed quickfields before.

The only thing that I can see that looks off to me is the user logs into Windows using a different username than the one displayed in Directory Server. I think Active Directory supports multiple usernames assigned to one user SID now to allow for last name changes as people get married. Could this be why it thinks her access is not allowed? I don't think I can choose which username Directory Server uses. I am not even sure if this is the problem, but not sure what else it would be.

0 0
replied on June 17, 2021

Perhaps you could test that theory by trying to add the username they log into Windows with as a new Windows User in LFDS. If you get a "User already exists" error message, that's a good sign LFDS is associating their multiple usernames with the same SID. If it goes through, that would indicate LFDS is seeing them as separate user accounts, and I would look at both user profiles in LFDS to see if they have different UPNs. 

0 0
replied on June 17, 2021

Yes, we get     
Could not register new user: Object already exists.

When I am trying to add the user, I see the domain name they are using to login to, but in the user list I see their old name they no longer use.

0 0
replied on June 17, 2021

Hi Chad,

Does the user have "View" and "Add objects" rights to the organization they are registering the application under, as mentioned in this post?

0 0
replied on June 17, 2021

Every single box is checked under Rights Assignment. They have it all

0 0
replied on June 17, 2021

Temporarily put the user's AD account in the local "Directory Server Administrators" Windows group on the LFDS server, which grants all possible rights in every area. If that still doesn't work, you have some weird AD mismatch going on that's not worth the effort of solving for the sake of issuing a Quick Fields license.

Manually generate the QF license in LFDS with "+Applications" and provide the lf.licx file to the user so they can provide it to the install wizard instead of selecting the LFDS registration option.

Don't forget to remove the user from the local Directory Server Administrators group.

Either way, you might want to try deleting the user's existing AD account registration out of LFDS and re-adding them under their new name as a precautionary measure against future weirdness.

1 0
SELECTED ANSWER
replied on June 18, 2021

Just to clarify Chad, every box is checked for both site-wide security (Settings > Security) as well as organization-level security (Accounts > Organizations > MyOrg > Security)?

1 0
replied on June 18, 2021

I have been working under Settings > Security > Rights Assignment

If I go to Accounts > Organizations > Root > Security I get another Rights Assignment page that looks just like the one I was on, but none of the same configurations.=

Why am I seeing 2 rights assignment pages and they do not match? I tried adding this user there as well and will have them try again.

0 0
replied on June 18, 2021 Show version history

In LFDS, "Site" and "Organization" are two different security scopes. 

To use an imperfect analogy, having the "Import" Feature right on a repository (LFDS Site) doesn't automatically mean you can create entries in any folder. You also need the "Create" entry access right in the folder (LFDS Org) you're trying to create the entry in.

The "Laserfiche Directory Service Administrators" local Windows group grants "complete and unrestricted access to Laserfiche Directory Server" (all possible rights at every security scope), which is why I recommended trying putting the user in there to test if it was a permissions issue on their account.

1 0
replied on June 18, 2021

I just confirmed I needed to add the user under Accounts > Organizations > Root > Security > Rights Assignment and NOT Settings > Security > Rights Assignment.

No need to make them a global administrator now that this is working, now I know where to go, but I was in the wrong Rights Assignment window apparently and will stay away from that one.

These are just users trying to install scanner software.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...