You are viewing limited content. For full access, please sign in.

Question

Question

User Security Properties Report Data Location

Laserfiche Administration How To Version 10 Security
Updated June 12, 2024
asked on March 25, 2022

Hey everyone,

 

Sorry if I am not explaining this properly as I am somewhat new to Laserfiche Administration. In the desktop client (Version 10.4), there is an option in Tasks < Generate Report... < User Security Properties Report. This report is great when we need to see what repository groups a user has access to. The only issue is the process can be quite tedious if you have a lot of users joining and leaving, so I wanted to see if I could automate it by querying the database and emailing us the report. I've searched through our Laserfiche database, and I can't seem to find the correct tables and attributes to associate a specific user to a repository group. Currently, a user can be associated with a repository group in the following ways:

 

  1. Through another Laserfiche repository group
  2. Through a network group setup in Active Directory
  3. Through inputting them in directly in Laserfiche Administration Console

 

All of our users should be directory users except for our admin and workflow account, which are repository users. What is the easiest way to query all of this information? The user security properties report appears to be using the users SID, but I can't find the table in our Laserfiche database that associates a user's SID to a particular repository group.

 

Any help would be much appreciated!

0 0

Answer

SELECTED ANSWER
replied on March 28, 2022

The most reliable way to get a trustee's group membership is with the SDK. Using the RepositoryAccess library, you can get group membership with Trustee.GetEffectiveAccessTokenInfo:

EffectiveAccessTokenInfo tokenInfo = Trustee.GetEffectiveAccessTokenInfo(trusteeSid, session);

foreach (var groupSid in tokenInfo.Groups)
{
    AccountReference grp = new AccountReference(groupSid, session);
    Console.WriteLine($"{grp.AccountName}");
}

This is the method that the desktop client uses for the User Security Properties report.

1 0
View 5 previous replies
replied on March 29, 2022

First, I want to say thank you for the timely response and great answer! However, I am having a few issues when attempting to run the code:

 

  1. It's saying unexpected character '$,' which I believe has to do with not being on C# 6.0. The fix appears to be changing to String.Format, but since I am new to coding, I am having some troubles with this.
  2. It's saying the name 'trusteeSid' does not exist in the current context. It also says this for the two 'session' names. Is there a way to test the code with a specific trustee SID so I can visualize what the script is doing?

 

Thanks again!

0 0
replied on March 30, 2022

Do you have the Laserfiche SDK installed? The sample code requires a bit of knowledge about programming with the SDK. I suggest looking through the SDK documentation and sample code to familiarize yourself with signing in to Laserfiche.

For issue #1, replace the line with Console.WriteLine(String.Format("{0}", grp.AccountName);

For issue #2, trusteeSid is the SecurityIdentifier for the trustee whose groups are being looked up. The session variable is the RepositoryAccess session object that you get when your SDK application connects to the Laserfiche repository.

Here is a sample command line application that will report the group membership for all users in the repository:

static void Main(string[] args)
{
    try
    {
        string server = "servername"; // server name here
        string repository = "repositoryname"; // repository name here
        string username = "admin"; // username here, or blank for windows authentication
        string password = ""; // password here

        SecurityIdentifier EVERYONE_SID = new SecurityIdentifier("S-1-1-0");

        RepositoryRegistration rr = new RepositoryRegistration(server, repository);

        using (Session session = new Session())
        {
            if (!string.IsNullOrEmpty(username))
                session.LogIn(username, password, rr);
            else
                session.LogIn(rr);

            var trusteeList = new List<SecurityIdentifier>();
                    
            // Add Laserfiche repository accounts
            trusteeList.AddRange(Account.EnumUsers(session).Select(account => account.Sid));

            // Add windows accounts
            trusteeList.AddRange(Trustee.EnumAllWindowsAccounts(session).Select(account => account.Sid));

            // Add LDAP accounts
            trusteeList.AddRange(Trustee.EnumSecuredLdapAccounts(session).Select(account => account.Sid));

            foreach (var sid in trusteeList)
            {
                AccountReference acctRef = new AccountReference(sid, session);
                string accountName = acctRef.AccountName;

                if (acctRef.TrusteeType == TrusteeType.WindowsAccount && !acctRef.IsUser)
                    continue; // Don't retrieve groups for other groups

                Console.WriteLine(String.Format("Groups for {0}:", accountName));

                try
                {
                    EffectiveAccessTokenInfo tokenInfo = Trustee.GetEffectiveAccessTokenInfo(sid, session);

                    List<string> groupNames = new List<string>();
                    foreach (var groupSid in tokenInfo.Groups)
                    {
                        if (groupSid == EVERYONE_SID)
                            continue; // Ignore everyone group

                        AccountReference grp = new AccountReference(groupSid, session);
                        groupNames.Add(grp.AccountName);
                    }

                    if (groupNames.Count == 0)
                        Console.WriteLine("    <none>");
                    else
                    {
                        foreach (var groupName in groupNames)
                        {
                            Console.WriteLine(String.Format("    {0}", groupName));
                        }
                    }
                }
                catch (Exception ex)
                {
                    Console.WriteLine(ex.Message);
                }
            }
        }
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex.Message);
    }

    Console.WriteLine("Done");
}

 

0 0
replied on March 30, 2022

Hey Robert,

 

I don't think we have access to the Laserfiche SDK with our RIO package. Would we need the SDK to create a script in the Workflow Designer to perform this action? If that is the case, is there an alternative way to grab this information such as querying the database?

 

Thank you,

0 0
replied on March 30, 2022

You don't need the SDK to use the SDK script activity in Workflow. However, the SDK documentation is only available when you purchase the SDK.

If you are using the code above in Workflow, you'll want to remove the parts where it establishes a connection to the repository on its own and replace all references to "session" with this.RASession to use the built-in connection the SDK script activity makes for you.

0 0
replied on March 30, 2022

Hey Miruna,

 

I think I made the appropriate changes, but I am now getting these errors:

 

1    The type or namespace name 'SecurityIdentifier' could not be found (are you missing a using directive or an assembly reference?)

2    The type or namespace name 'SecurityIdentifier' could not be found (are you missing a using directive or an assembly reference?)

3    The type or namespace name 'SecurityIdentifier' could not be found (are you missing a using directive or an assembly reference?)

4    'Laserfiche.RepositoryAccess.AccountInfoReader' does not contain a definition for 'Select' and no extension method 'Select' accepting a first argument of type 'Laserfiche.RepositoryAccess.AccountInfoReader' could be found (are you missing a using directive or an assembly reference?)

5    'Laserfiche.RepositoryAccess.WindowsAccountReader' does not contain a definition for 'Select' and no extension method 'Select' accepting a first argument of type 'Laserfiche.RepositoryAccess.WindowsAccountReader' could be found (are you missing a using directive or an assembly reference?)

6    'Laserfiche.RepositoryAccess.LdapAccountReferenceReader' does not contain a definition for 'Select' and no extension method 'Select' accepting a first argument of type 'Laserfiche.RepositoryAccess.LdapAccountReferenceReader' could be found (are you missing a using directive or an assembly reference?)

 

I believe all the proper references have been added, but it appears that I am missing some things.

 

Thanks,

0 0
replied on March 30, 2022

Your code is missing using blocks at the top:

using System.Linq;

using System.Security.Principal;

 

0 0
replied on March 30, 2022

Hey Robert,

 

There appears to be no errors now, but I am in the process of debugging the SDK script because no values are appearing.

 

Thanks for your help!

0 0
replied on June 12, 2024

Hi, I am looking to loop through all the allowed users to get what group(s) each of them belongs to.

 

Can this be done?

1 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...