Rick67 Posted November 21, 2016 Report Share Posted November 21, 2016 In the 'Repository Server Permissions', I am in a group that has ALL 'Allowed' permissions. Unfortunately, I don't appear to have permission to deactivate a user. Using the command 'cm deactivateuser S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxx --nosolveuser', I receive the message 'You don't have permissions to deactivate user S-1-5-21-3325927102-2916226932-842127252-66320. You need to be repository server administrator in order to be allowed to complete this operation.' Any suggestions? Link to comment Share on other sites More sharing options...
manu Posted November 21, 2016 Report Share Posted November 21, 2016 Hi Rick, yes, you need to be the Repository Server Owner, change the repository server owner to be your user name and you'll be able to execute the du command. The repository server owner is the Plastic SCM administrator. Link to comment Share on other sites More sharing options...
Rick67 Posted November 21, 2016 Author Report Share Posted November 21, 2016 Tried that but I receive the same message. Link to comment Share on other sites More sharing options...
manu Posted November 21, 2016 Report Share Posted November 21, 2016 Can you try the following? 1) cm whoami -> Get the result 2) cm setowner -user=<Here_The_User_From_Point_1> repserver:serverAddress:8087 And then try the "cm du" command? Link to comment Share on other sites More sharing options...
Rick67 Posted November 21, 2016 Author Report Share Posted November 21, 2016 Still receiving the same message. Link to comment Share on other sites More sharing options...
manu Posted November 21, 2016 Report Share Posted November 21, 2016 Mmmm can we get connected and review it? I'm available right now. https://global.gotomeeting.com/join/374333133 Link to comment Share on other sites More sharing options...
Rick67 Posted November 21, 2016 Author Report Share Posted November 21, 2016 Unfortunately that's not possible because we are on a very secure network. I don’t know if it helps, but I had a look at what’s being passed to the plastic server. The request from the command “cm du XXXXXX --nosolveuser” is a .net remoting call to DeactivateUser.vCodice.CM.Interfaces.ISecurityHandler The reply from the server includes the response- $Codice.CM.Common.CmSecurityException.....mExceptionArgs.ClassName.Message.Data.InnerException.HelpURL.StackTraceString.RemoteStackTraceString.RemoteStackIndex.ExceptionMethod.HResult.Source.... ........System.Collections.IDictionary.System.Exception................$Codice.CM.Common.CmSecurityException......SECURITY_CANT_DEACTIVATE_USER Link to comment Share on other sites More sharing options...
manu Posted November 21, 2016 Report Share Posted November 21, 2016 Hello Rick, I'm not sure why it's not working. Once your current user is the repository server owner you should have privileges to activate and deactivate users. Can you check if the "cm li" command is giving duplicated users? Can you check if this command is returning you the user returned by the "cm whoami" command? cm showowner repserver:server_address:8087 Thanks. Link to comment Share on other sites More sharing options...
Rick67 Posted November 21, 2016 Author Report Share Posted November 21, 2016 There are a number of duplicate users of which one of each is designated 'INACTIVE (Not licenced)'. Interestingly, the user 'OWNER' is also designated 'INACTIVE (Not licenced). The command 'cm showowner repserver:server_address:8087' works fine. I also tried to deactivate user using 'cm deactivateuser {user ID}' but no success. Link to comment Share on other sites More sharing options...
manu Posted November 21, 2016 Report Share Posted November 21, 2016 Hi Rick, is the user you are setting as the repository server owner duplicated or deactivated? Can you try setting a different user as the repository server owner and try to use the du command from the other user computer? Link to comment Share on other sites More sharing options...
Rick67 Posted November 22, 2016 Author Report Share Posted November 22, 2016 We've figured it out! The user is duplicated and one of the accounts is 'INACTIVE'. It seems the 'OWNER' was fixed to the 'INACTIVE' account but by adding the domain to the user, the 'OWNER' is now fixed to the ACTIVE account. Link to comment Share on other sites More sharing options...
manu Posted November 23, 2016 Report Share Posted November 23, 2016 Hi Rick, yes, that was my suspicion, how did you manage to set the "Active" user as the repo server owner? I guess the ACL users dialog was displaying it duplicated as well, right? Link to comment Share on other sites More sharing options...
Rick67 Posted November 24, 2016 Author Report Share Posted November 24, 2016 We have a more serious issue now!!!! I set the 'ALL USERS' group to 'Deny all' and now no one can read the repository, including the owner, even though some users are in a group with appropriate permissions or some are not. Receiving the message, "You don't have permissions for operation view". Link to comment Share on other sites More sharing options...
manu Posted November 24, 2016 Report Share Posted November 24, 2016 Hi Rick, the user set as the repository server owner will be able to access the system and re-add the "ALL_USERS" entry. Notice that denying permissions for the "ALL_USERS" group will affect every user in the system, except for the root user, the repository server owner. Le me share with you how to fix the issue if you are not able to log-in with the root account. Quote IMPORTANT!!!!! First of all, you have to make a backup of repositories.plastic, rep_1.plastic, rep_2.plastic…. files. We will need to modify these database files and it´s important to have a backup. You can find the files at: c:\Program Files\PlasticSCM4\server You need to install a database manager: sqlitebrowser if you are using Sqlite, SQL Management tool if you are using SQL Server… - Open “repositories.plastic” file. Go to “aclinhentry” table and delete all the fields. This table should be empty. - Go to “aclentry” table. You should have 5 fields. Set the next values: 0 0 0 369098751 0 - Open rep_x.plastic (where “x” is the repository number you want to change the permissions). Go to “aclentry” table and delete all the fields. This table should be empty. - Go to “aclinhentry” table. You should have 3 fileds. Set the next values: 0 0 0 - Finally, restart the Plastic Windows service and it´s done. Permissions should have been recovered. Here you have more info regarding the Plastic SCM security: https://www.plasticscm.com/documentation/security/plastic-scm-version-control-security-guide.shtml Link to comment Share on other sites More sharing options...
Rick67 Posted November 24, 2016 Author Report Share Posted November 24, 2016 Unfortunately, the repository server owner had the same problem i.e. "You don't have permissions for operation view". We're now back up and running thanks but the owner doesn't have permissions to deactivate users or change owner again. The owner was fine before I set 'Deny all' to the 'ALL USERS' group. Furthermore, I've also noticed that I now have two ACTIVE accounts! Link to comment Share on other sites More sharing options...
Rick67 Posted November 29, 2016 Author Report Share Posted November 29, 2016 Can anyone help? Link to comment Share on other sites More sharing options...
manu Posted November 29, 2016 Report Share Posted November 29, 2016 Hello Rick, two posts ago you will find a way to edit the databases and fix the issue. Did you try it? Link to comment Share on other sites More sharing options...
Rick67 Posted November 29, 2016 Author Report Share Posted November 29, 2016 We tried that, the problem we are experiencing are the permissions on the repository server. The 'ALL USERS' group was reinstated with all permissions set to allowed. For your information, the 'OWNER' has all permissions set to allowed, is listed as a user with all permissions set to allowed, but is also in a group that has some permissions denied. This is the user who is unable to change owner or deactivate users. We believe the user is the 'ACTIVE' one too. Is there a way of identifying the domain? Link to comment Share on other sites More sharing options...
manu Posted November 29, 2016 Report Share Posted November 29, 2016 Hello Rick, are you having available licenses? Can you create a completely new user, set it as the repository server owner and try the "du" command? If you are not having available licenses then I can generate you a bigger license. We can also think about scheduling an online meeting and review the issue. Link to comment Share on other sites More sharing options...
Rick67 Posted November 29, 2016 Author Report Share Posted November 29, 2016 Unfortunately, an online meeting is not an option due to security. However, through the command line, I've now managed to change the owner to myself by including the domain {domain\user}. I've since identified my other account had a different domain and I've successfully deleted it. Furthermore, I've deactivated the user I was unable to. I now have the two spare licences. Regarding the 'ALL USERS' group, does it simply mean ANY user or group including local and domain service accounts obtain the permissions that are set? Can a user be in two groups? If so, how are permissions overridden? Link to comment Share on other sites More sharing options...
Rick67 Posted December 1, 2016 Author Report Share Posted December 1, 2016 Quote Can anyone answer my questions? Link to comment Share on other sites More sharing options...
manu Posted December 1, 2016 Report Share Posted December 1, 2016 A user can be in multiple groups, 100% supported. The behavior is always the same, the deny permission prevails over the rest, so if the same user belongs to group A and group B the following scenarios may occur: ONE A: mkbranch: DENIED B: mkbranch: GRANTED Result: The user CAN'T create branches. TWO A: mkbranch: GRANTED B: mkbranch: NOT SET (neither granted or denied) Result: The user CAN create branches. THREE A: mkbranch: NOT SET (neither granted or denied) B: mkbranch: NOT SET (neither granted or denied) Result: The user CAN'T create branches. Link to comment Share on other sites More sharing options...
Rick67 Posted December 5, 2016 Author Report Share Posted December 5, 2016 Thanks for that response. It makes sense. Regarding the 'ALL USERS' group, does it simply mean ANY user or group including local and domain service accounts obtain the permissions that are set? Is there way of displaying more information about the user when using the command 'cm li'? For example, displaying the domain? Link to comment Share on other sites More sharing options...
manu Posted December 5, 2016 Report Share Posted December 5, 2016 39 minutes ago, Rick67 said: Regarding the 'ALL USERS' group, does it simply mean ANY user or group including local and domain service accounts obtain the permissions that are set? "ALL_USERS" group contains all the system users, and yes, they will get permissions inherited from that user. Consider "not grant and not deny, just unset" permissions in order to not to hit unwanted denied permissions while inheriting. 45 minutes ago, Rick67 said: Is there way of displaying more information about the user when using the command 'cm li'? For example, displaying the domain? Nop, sorry. Only the user name is displayed. Link to comment Share on other sites More sharing options...
Rick67 Posted December 5, 2016 Author Report Share Posted December 5, 2016 Thanks again for all your help. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.