I've configured an IMAP Watcher Node to point at a Gmail-based account. The Test of the connection returns success. However, when I run the node in the design tool, I get this error:
IMAP Watcher(v1.0.1.6): An operation requiring Environment permission
was denied. Check Node Connection and properties or consider using a
DropPoint.
I imagine the "permission" it needs is to move the processed message from the Watch folder to the Processed folder. It's connecting to the mailbox with the credentials of the mailbox owner. Why would permissions be denied?
Please help.
Related
I would like to restrict some functions in a user written server add-in for certain users or groups.
Question: Is it possible to get (via an API) the user name who is sending a "Tell" command from a remotely connected server console?
Example:
Tell AddinName Command (issued remotely by Hotline User)
Tell AddinName Command (issued remotely by Admin User)
The remote console (and therefore the "Tell" command) is available to both users, but a subset of commands should only be allowed to authorised users (e.g. Group in Server Document->Security).
Is the user name (entering the "Tell" command) available (e.g. in the MessageQueue)?
I know that internally in Domino there are already some restriction possible to commands issued at the console.
The session.getCommonUserName() always returns the server name (since the add-in runs in context of the server).
Thanks for any pointer or ideas.
Andy
I believe that the answer to this is no, and it would not be advisable to implement tell commands that you can't trust to all authorized administrators.
If you really do need to confirm a user identity for a command, you're going to need to use database to queue the commands. I.e., you could build an application that stores the commands in documents in a database with a restricted ACL. Your addin code can use an Extension Manager hook to monitor the database for changes and read new documents when they appear, or you could have your application use NotesSession.SendConsoleCommand to issue something like 'tell myAddIn process ' to wake up your addin and give it the noteid of the document it just created. If you need to protect against people with full access admin rights overriding the ACL, your application could digitally sign the documents and your addin could verify the signatures.
I am trying to run this powershell cmdlet :
Get-AzureRmDataLakeStoreChildItem -AccountName "xxxx" -Path "xxxxxx"
It fails with an access error. It does not really make sense because i have complete access to the ADLS account. I can browse in the Azure portal. It does not even work with a AzureRunAsConnection from an automation account. But it works perfectly for my colleague. What am i doing wrong?
Error :
Operation: LISTSTATUS failed with HttpStatus:Forbidden
RemoteException: AccessControlException LISTSTATUS failed with error
0x83090aa2 (Forbidden. ACL verification failed. Either the resource
does not exist or the user is not authorized to perform the requested
operation.).
[1f6e5d40-9be1-4682-84be-d538dfca0d19][2019-01-24T21:12:27.0252648-08:00]
JavaClassName: org.apache.hadoop.security.AccessControlException.
Last encountered exception thrown after 1 tries. [Forbidden (
AccessControlException LISTSTATUS failed with error 0x83090aa2
(Forbidden. ACL verification failed. Either the resource does not
exist or the user is not authorized to perform the requested
operation.).
I don't see any firewall restrictions :
I resolved the problem by providing read and execute access to all parent folders in the path. Since ADLS uses the POSIX standard, it does not inherit permissions from parent folders. So, even though the SPN(generated by the automation account) i was using had read/execute access to the specific folder i was interested in, it did not have access to other folders in that path.
I looked at the config files everything is fine, made environment variables PATH's, started and restarted the service put in the right password, searched for someone with similar problems(not found).
Every time i go to the default location via browser I get the login screen but when i put in 'root' and the password I get an error message 'Login Failed'.
When I set athenticate=false in the conf file i can access the web manager.
Anybody know how to solve this or at least what might be wrong?
During the installation, the ArangoDB Installer will ask you the password for the administrator user.
Use root as user name with your password to gain access to the database.
Open a CMD-Window in your ArangoDB installation directory.
To re-gain access to the database, stop the ArangoDB database service using
sc stop ArangoDB
after the database was stopped, invoke
.\usr\bin\arango-secure-installation
which will ask you for a new password.
After that, start the service again using:
sc start ArangoDB
I am attempting to use Liquibase to deploy changes to SQL Server.
I have set up the sqljdbc jar file and placed it in my local maven repository. I then attempt to use the liquibase-maven-plugin to run the changes placed in the changelog for the given connection URL.
Here is what my connection URL is: jdbc:sqlserver://localhost:1433;user=Jenkins_BuildServices;password=hi;
I already created the login on my localhost and gave it sysadmin privileges. I also have made sure that the properties -> security is set to both SQL Server and Windows Authentication mode. Any ideas as to why the url being passed in is giving me back this error and not reading it from the URL?
In my organization we are deploying our components using Microsoft TFS. The NServiceBus components are deployed as Windows Service by the BuildPortal.It typically creates the automated MSI packages and deploys it on the target servers. To deploy the MSI packages, the build portal uses the Service account (the Administrator/SuperUser). The NServiceBusHost will not run with the same service account, either it will use the System account or different Service account, which has restricted permission on the server and the account will not be part of the Administrator group.
In short, the Host /install command runs with different account than the actual NServiceBusHost execution. During the install, all the required queues are created by the installer (by using NServiceBus.Integration profile). Now, the problem is, since the queue created by different account than the original service account, it throws the following error.
Message:Could not create queue error#xxxxxxx01 or check its existence. Processing will still continue.
NServiceBus.Utils.MsmqUtilities.CreateQueueIfNecessary(:0)
System.Messaging.MessageQueueException (0x80004005): Access to Message Queuing system is denied.
at System.Messaging.MessageQueue.SetPermissions(AccessControlList dacl)
at NServiceBus.Utils.MsmqUtilities.SetPermissionsForQueue(String queue, String account)
at NServiceBus.Utils.MsmqUtilities.CreateQueueIfNecessary(Address address, String account)
To resolve the above error, we tried to use the INeedToInstallSomething. But, there are no proper documentation/sample on how to use or what to use inside the Install() method. When we call the Configure.Instance.ForInstallationOn().Install() the installer is not creating the queues as expected. All we wanted is, to get the list of dependent queues of current installer & set the permission something like this >> messageQueue.SetPermissions(serviceAccount, MessageQueueAccessRights.FullControl)
Is this possible to get all the dependent queues for the current Host and assign the permission during the Host install only.
NOTE:
We dont want to move this logic outside of the host for now. Yes,
having a simple PSS may help to reslove this issue.
We have to use the restricted account to run the Host which can't be a Administrator.
I would try either INeedToInstallInfrastructure<T> and set the permissions there, or this may be like the perf counters which uses IWantToRunBeforeConfigurationIsFinalized. You may need the latter and I'm not sure what order if any is used for INeedToInstallInfrastructure<T>.