Question

Permission denied error when using SDK to set user to NAMED_USER_READWRITE

SDK Workflow

Updated September 30, 2016

asked on December 1, 2014

I need to mass create "Laserfiche Users" in a repository, using a Laserfiche SDK script in a Workflow that gets user info data from the corporate database.

This script is working fine and can create users with all the properties I need except one. The script can't assign a full license to repository users. I get a permission denied error

As a workaround, on my Avante system, I have found a way to assign licenses to all users at once the following way: In the Admin console, we can select many users and we go to "All Task" and choose "Add to named users"

But the customer system is RIO. In the admin console, when I select many users, I don't have the option to "Add to named users" under "All Task".

In the SDK Script, the line where it's giving the error is: NewUser.NamedUserStatus = Named_User_Status.NAMED_USER_READWRITE

Is this normal I get this permission denied error?
What is the workaround?

0 0

Replies

replied on December 1, 2014

First step is to make sure that the Windows domain user that the workflow is running the script as is listed in the Laserfiche Server Managers node of the LF Admin console on the server.

Next step is to make sure that in a Rio system, the LF server has available named users assigned to it to be assigned as repository named users. By default in Rio, the named licenses are assigned to users/machines through the License Manager (now Directory Service) and if you want to have LF Named users in a repository, the Named License must be assigned to the LF Server through the License Manager.

0 0

replied on December 2, 2014

Hi Bert and thank you for your comments.

On the RIO system, enough user licences are already assigned to the repository so enough licenses are available.

On my VAR Avante system, everything is on the same box and the workflow is running as a Laserfiche user that has all the rights & priviledge of the admin user. I also have unassigned licenses that are available for my script to assign to users. If I log in with this Workflow user to the admin console, I can assign licenses to users.

My question is, does this permission denied comes from a LFSO restriction? and does it works using RA? I have not used RA yet due to lack of VB examples.

0 0

View 2 previous replies

replied on December 2, 2014 • Show version history

Don't suppose you are running the utility as a user with the system manager role for that Server? You need that in order to modify named user settings.

0 0

replied on December 3, 2014 • Show version history

The Script is a Workflow "SDK Script" running within the worklfow. The Workflow user running this is called "Workflow" and is a LF thrustee that has full ADMIN rights and priviledge.

I know that the OS Logged in user must be part of the System Manager.

The Workflow service is running as LocalSystem.

I'll do additional testing but let me know if you have any idea.

0 0

replied on December 3, 2014

I have changed the Workflow Service user from "LocalSystem" to a domain account that is local admin of my station.

I have run the workflow again and I still get a permision denied.

Should I create a support case?

0 0

replied on December 5, 2014

It looks like not only do you need to be a system manager, but you need to use the system manager login - basically, you need to be connected to the Lf Server in a system manager session to actually modify the named user list now.

One workaround is simply to disable this new security. If you aren't concerned about people being able to view or modify named users on your Server through scripts, you should be able to set DWORD HKEY_LOCAL_MACHINE\SOFTWARE\Laserfiche\Engine\8.0\HttpServ\CheckAdminNUDB to 0. (I'm pretty sure it's 0, if that doesn't work try 1). That should revert this back to the 9.1 security checked.

0 0

replied on December 12, 2014

Hi Justin,

I have created that registry key "CheckAdminNUDB" with value 0 or 1 and it doesn't have any effect on the result. I still get a permission denied error. For your info, I took the time to restart LFS after changing the registry key.

I kept searching but not successful. Let me know if you have other ideas.

Thanks

0 0

replied on March 2, 2015 • Show version history

Has anyone solved this? I'm getting what may be the same issue with Server 9.2 and Workflow 9.2 using RA. If I try to

UI.NamedUserStatus = NamedUserStatus.ReadWrite;
                UI.Save();

I get

Access denied. [9013] [9013]

Setting other settings like the username, password, etc seems to be OK.

I tried the "CheckAdminNUDB" registry thing and it didn't seem to have an effect.

EDIT- I see NamedUserStatus is read-only in the RA 9.2 library. And it's not working with another 9.2 server outside of workflow (same error), even with a 9.1 or 9.0 library.

How do you set named users in via SDK with a 9.2 Laserfiche server? The old way that still seems to be in the documentation doesn't seem to work.

0 0

View 1 previous reply

replied on March 2, 2015 • Show version history

Hi,

Thanks for the reply.

I did reboot the entire machine and still had the same trouble. As best I can tell, the user is a system manager and has all permissions.

I've moved this issue to my test workstation, in Visual Studio, where I get the same error with a version 9.2 server via a SDK script I wrote to check on the problem (any RA library- 9.0 to 9.2). I'll post my poorly written test code here, maybe it's a mistake I'm overlooking.:

                String userName = "testUser";
                String password = "12345";
                RepositoryRegistration myRepoReg = new RepositoryRegistration("localhost", "RepositoryName");
                Session mySess = new Session();
                mySess.LogIn("admin", "password", myRepoReg);
                UserInfo UI = new UserInfo();
                UI.Session = mySess;
                UI.Name = userName;
                UI.Password = password;
                UI.MustChangePassword = true;
                //This works.
                UI.Save();
                try
                {
                    UI.NamedUserStatus = NamedUserStatus.ReadWrite;
                    //This doesn't work. 'Access denied [9013]'
                    UI.Save();
                }
                catch (Exception e)
                { MessageBox.Show(e.Message.ToString()); }
                mySess.LogOut();
                mySess.Close();
                mySess.Discard();

Edit- Oh, with the 9.2 RA library the "UI.NamedUserStatus = NamedUserStatus.ReadWrite;" doesn't seem to be allowed.

0 0

replied on July 21, 2015

Has this been resolved. I am trying to do the same process and get an access denied.

0 0

replied on July 22, 2015 • Show version history

LaserficheNamedUserDatabase lfnudb = LaserficheNamedUserDatabase.GetFromServerInstance(server);
lfnudb.RegisterLaserficheNamedUser(username, repository, NamedUserStatus.ReadWrite);

Please have a try the above code.

0 0

replied on June 29, 2016

Got the same error (access denied)

anyone found how to bypass this access denied ?

here my code used

string acctName = "Mydomain\\rperrault";
TrusteeInfo trustee = new TrusteeInfo();
trustee.FeatureRights = FeatureRights.Scan | FeatureRights.Search | FeatureRights.Print | FeatureRights.Export;

// Set the feature rights for the account
Trustee.SetInfo(acctName, trustee, RASession);


// before this point, it works because the windows user is created

AccountReference acctRef = new AccountReference(acctName, RASession);

            Server server = new Server();
            ServerManagement sm = new ServerManagement(server);


LaserficheNamedUserDatabase nudb = LaserficheNamedUserDatabase.GetFromServerManagement(sm);
TrusteeInfo userInfo = Trustee.GetInfo(acctRef, RASession);
if (nudb.GetLaserficheNamedUser(acctRef.ToSecurityIdentifier()) == null)
{
    NamedUserStatus newStatus = NamedUserStatus.ReadOnly;
    if (userInfo.NamedUserStatus == NamedUserStatus.None)
        nudb.RegisterLaserficheNamedUser(acctRef.AccountName, "CreeNation", newStatus);
   else if (userInfo.NamedUserStatus != newStatus)
        nudb.UpdateLaserficheNamedUser(acctRef.ToSecurityIdentifier(), newStatus);
}

0 0

You are not allowed to follow up in this post.

Question

Question

Permission denied error when using SDK to set user to NAMED_USER_READWRITE

Replies

Sign in to reply to this post.