| Author |
User does not have the authority to perform action
|
|
|
| Hi, i am migrating an application from WCS 5.1 to WC 5.6. Everything is working fine on the new WC 5.6 system except one command (custom) which calls a default WCS command perform an action. At this point i get the following error in the logs
[11/25/05 17:13:35:764 CET] 37eac81c CommerceSrvr E AccManager isAllowed CMN1501E: User 9143423 does not have the authority to perform action "com.ibm.commerce.order.commands.OrderCopyCmd" on resource "com.ibm.commerce.registry.StoreCopy" for command "No
rmalCheckout".
[11/25/05 17:13:35:788 CET] 37eac81c CommerceSrvr E com.ibm.commerce.order.commands.OrderCopyCmdImpl checkResourcePermission The user does not have the authority to run this command "NormalCheckout"
I know this is related with some data in AC* tables and i tried few combinations myself but none has worked so far.
Any help is appreciated. This is really very very urgent.
Thanks
Niranjan Soni
| |
| Robert Brown 2005-11-28, 2:53 am |
| Care to share the AC policies you loaded for the command NormalCheckout?
I might see something that doesn't look right.
R
> Hi, i am migrating an application from WCS 5.1 to WC 5.6. Everything is working fine on the new WC 5.6 system except one command (custom) which calls a default WCS command perform an action. At this point i get the following error in the logs
>
> [11/25/05 17:13:35:764 CET] 37eac81c CommerceSrvr E AccManager isAllowed CMN1501E: User 9143423 does not have the authority to perform action "com.ibm.commerce.order.commands.OrderCopyCmd" on resource "com.ibm.commerce.registry.StoreCopy" for command "
NormalCheckout".
> [11/25/05 17:13:35:788 CET] 37eac81c CommerceSrvr E com.ibm.commerce.order.commands.OrderCopyCmdImpl checkResourcePermission The user does not have the authority to run this command "NormalCheckout"
>
> I know this is related with some data in AC* tables and i tried few combinations myself but none has worked so far.
>
> Any help is appreciated. This is really very very urgent.
>
> Thanks
> Niranjan Soni
| |
|
| Hi Robert
The AC Policies for this command was loaded as part of DB Migration itself (from WCS 5.1 to WC 5.6). From what i can see in the database, this command has a entry in ACRESCGRY table and the command is assigned to resource group "AllSiteUserCmdResourceGrou
p" in ACRESGPRES table. The command also has "Execute" action defined for it in table ACRESACT table.
I would like to mention one thing as well that "NormalCheckout" as we see in the logs is defined in URLREG table as URL with this url pointing to command "com.amivo2.order.commands.NormalCheckoutAmivoCmd" in URLREG.
The access policy that i have mentioned above are defined for command "com.amivo2.order.commands.NormalCheckoutAmivoCmd". I dont whether that makes any difference because i understand that WC should be able to pick the command name corresponding to the UR
L "NormalCheckout" from URLREG and then load the corresponding policy for that command.
Thanks
Niranjan
| |
| Robert Brown 2005-11-29, 2:51 am |
| You might want to extract the AC policies using the acpextract utility
and filter out the command's policies migrated at the db level so you
know what is there. Makes it easier to make modifications and reload
those policies on other machines too.
Considerable differences were introduced from v5.1 to v5.6 to the access
control model. My gut feeling is your migration utility (?wcim?) didn't
handle your command as gracefully as the OOB commands. If the access
control rows custom to your application's commands were migrated
directly by the DBA I know you aren't going to have success here.
R
> Hi Robert
> The AC Policies for this command was loaded as part of DB Migration itself (from WCS 5.1 to WC 5.6). From what i can see in the database, this command has a entry in ACRESCGRY table and the command is assigned to resource group "AllSiteUserCmdResourceGr
oup" in ACRESGPRES table. The command also has "Execute" action defined for it in table ACRESACT table.
>
> I would like to mention one thing as well that "NormalCheckout" as we see in the logs is defined in URLREG table as URL with this url pointing to command "com.amivo2.order.commands.NormalCheckoutAmivoCmd" in URLREG.
>
> The access policy that i have mentioned above are defined for command "com.amivo2.order.commands.NormalCheckoutAmivoCmd". I dont whether that makes any difference because i understand that WC should be able to pick the command name corresponding to the
URL "NormalCheckout" from URLREG and then load the corresponding policy for that command.
>
> Thanks
> Niranjan
| |
| Robert Brown 2005-11-29, 7:51 am |
| I pulled an example from a recent project. This may match what you can
extract with acpextract but might also indicate something you are missing:
<ResourceCategory
Name="com.ibm.commerce.order.objects.OrderResourceCategory"
ResourceBeanClass="com.ibm.commerce.order.objects.Order"
PrimaryResourceTable="ORDERS"
PrimaryResourceOwnerTable="STOREENT"
PrimaryResourceOwnerColumn="MEMBER_ID"
ResourceKeyOwnerColumn="STOREENT_ID">
<ResourcePrimaryColumns PrimaryResourceKeyColumn="ORDERS_ID"/>
<ResourceAttributes Name="Status" AttributeTableName="ORDERS"
AttributeColumnName="STATUS" ResourceKeyColumnName="ORDERS_ID"/>
<ResourceAction Name="com.amivo2.order.commands.NormalCheckoutAmivoCmd"/>
</ResourceCategory>
<ResourceCategory
Name="com.amivo2.order.commands.NormalCheckoutAmivoCmdResourceCategory"
ResourceBeanClass="com.amivo2.order.commands.NormalCheckoutAmivoCmd">
<ResourceAction Name="ExecuteCommand"/>
</ResourceCategory>
<ActionGroup Name="OrderProcess" OwnerID="RootOrganization">
<ActionGroupAction
Name="com.amivo2.order.commands.NormalCheckoutAmivoCmd"/>
</ActionGroup>
<ResourceGroup Name="BecomeUserCmdsResourceGroup"
OwnerID="RootOrganization">
<ResourceGroupResource
Name="com.amivo2.order.commands.NormalCheckoutAmivoCmd"/>
</ResourceGroup>
<ResourceGroup Name="ResellerUserCmdResourceGroup"
OwnerID="RootOrganization">
<ResourceGroupResource
Name="com.amivo2.order.commands.NormalCheckoutAmivoCmd"/>
</ResourceGroup>
<ResourceGroup Name="RegisteredUserCmdResourceGroup"
OwnerID="RootOrganization">
<ResourceGroupResource
Name="com.amivo2.order.commands.NormalCheckoutAmivoCmd"/>
</ResourceGroup>
Tip: Review defaultAccessControlPolicies.xml and locate an OOB command
that is similar to NormalCheckoutAmivoCmd. Mimic all references to any
ResourceCategory, ResourceGroupResource, ActionGroupAction, etc. for
your command. I picked the OrderProcessCmd as a close guess. The more
customized your logic the more complicated the policies become.
R
> Hi Robert
> The AC Policies for this command was loaded as part of DB Migration itself (from WCS 5.1 to WC 5.6). From what i can see in the database, this command has a entry in ACRESCGRY table and the command is assigned to resource group "AllSiteUserCmdResourceGr
oup" in ACRESGPRES table. The command also has "Execute" action defined for it in table ACRESACT table.
>
> I would like to mention one thing as well that "NormalCheckout" as we see in the logs is defined in URLREG table as URL with this url pointing to command "com.amivo2.order.commands.NormalCheckoutAmivoCmd" in URLREG.
>
> The access policy that i have mentioned above are defined for command "com.amivo2.order.commands.NormalCheckoutAmivoCmd". I dont whether that makes any difference because i understand that WC should be able to pick the command name corresponding to the
URL "NormalCheckout" from URLREG and then load the corresponding policy for that command.
>
> Thanks
> Niranjan
|
|
|
|