I have some issues with the Plone 4.3.1 permission settings. But I have come long way with the existing documentation and Aspelli's book. But I cannot figure out why I am unable to create any object in a folder, even as Site Administrator, after setting up a workflow-state that grants permissions to a specific user role.
The workflow-state is called "Show_External" and the permissions that are set through the Permissions tab of the workflow state are as follows:
Permission Acquire Site Admin Ext_Supplier
Access content information - X X
List folder contents - X X
Modify portal content - X X
View - X X
I do not want to "Acquire" any permissions because the new role is for an external supplier that has no business with anything else on this particular site.
The result - much against what I expected - is that no one can create any object. The option is shown in the interface, but any attempt results in Error Please correct the indicated errors.. No errors are indicated however.
What I can do is make the objects (folders and files) in another folder and then copy paste them to the folder that is set in the workflow-state. Stranger still, once I copy the folder as a subfolder to the External Supplier folder a can add files through QuickUpload, but not by selecting "Add file".
What am I missing in my understanding of the permissions?
You likely ran into a bug, which was fixed just now:
http://plone.293351.n2.nabble.com/Bug-on-sharing-page-upgrade-plone-app-workflow-to-2-1-6-td7566655.html
Does upgrading p.a.workflow help?
The solution in the end was to install plone.app.workflowmanager. For some reason that I do not understand the "Permission Roles" that show up under the workflow states created through ZMI did not have either the "Add" or the Review Permission.
Correcting the permissions through the workflow manager solved the problems.
If you try it out then note that you need to check the "Advanced Mode" checkbox to be able to update the permission settings on existing objects.
Having dregdged through ZMI screens for the past few days, the Workflow Manager is a great improvement! Very nicely done.
If someone can still explain why there is a difference between the permissions that I set through ZMI and the workflow manager I would very much like to know (feel free to edit this answer, marked as "community wiki").
Related
We have a set of log analytics workspaces, each with some workbooks. One workspace for each project. We need to grant the administrators access to the workbooks for general monitoring. I have assigned the as owner on the log analytics, but hey only see their own workbooks. They cannot see the one I created. When I read this article it states you need:
Global administrator
Security administrator
Security reader
Report reader
Application administrator
But I am sure I have misunderstood you need those privileges' to show workspaces to system administrators. Anyone know how to manage access for a single workspace and related workbooks?
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks#prerequisites
where did you save your workbooks? when you saved, you would have picked sub+resource group. do those users have access to query resources in the sub+resource group you saved yours to?
the workspace RBAC controls access to the database itself, but where you save your resources (the workbooks) determines if other users can see them or not.
If you think of all this as a file system,
think of the workspace as a specific database file, "C:\rg1\workspace A\database.db"
subscription sub as a drive letter, "sub a" = "C:", "sub b" as "D:", etc
resource group as a folder inside a sub ("D:\rg2")
Just because you granted a user RBAC access to #1, doesn't mean they can see things you saved into #3.
by default when you save a workbook it would try to save it to the same sub+rg as the workspace itself, but depending on RBAC users might not be able to create resources there.
(with the analogy above, the default setting would be to try save new workbooks into "C:\rg1" where the workspace is, if you have write access on that RG)
Additionally, if you created your workbooks at some point in the past, you would have had the option to save them as "shared" or "private" (aka "my workbooks", which we're working on deprecating because this confuses everyone). Make sure you didn't save yours to "my workbooks", as only the author can see those. you'd have to use the "move to shared" command in the editing toolbar to make sure your workbooks are shared so the others can see them.
Please explain how content security works on SenseNet.
Especially how to read the following SN database view:
PermissionInfoView
What EFEntries(LocalOnly) flag is used for?
In a nutshell: it works very similarly to the file system permissions in Windows.
You can define permissions for individual users, or (more preferably) groups and org units. Defining a permission happens on a content, usually on a container like a workspace or folder. For example you give Open and Save permissions for the Editors group on the Articles folder.
There is inheritance: child content will inherit permissions you defined on the parent folder (unless it was defined as local only, which means not propagated to children). For example if you define a local only Save permission on a document library for John, he will be able to modify the doclib content itself (e.g. change its display name), but not the files inside the library.
To make things a bit more complex, you can break permissions on a content, for example to remove an inherited permission. This may be necessary if you want to hide a subfolder.
For details please visit the Permission System article.
Permission overview GUI
If you have installed the WebPages component of SN7, you get a Permission Overview page that may help you understand the current permission settings in the tree.
The Permission info database view
In case you have the Services component only (so no GUI) or you really want to look under the hood, you can check out this db view to see all the permission settings in the system.
The records here contain all the defined permission entries in the system (so inherited ones cannot be seen here, they are calculated in memory). The Path is the content where the permissions are defined, the Identity can be a user or group, LocalOnly means not propagated to children (see above), the rest is a list of permissions (e.g. Open or Save) and whether they are allowed, denied or undefined.
For details about this and other db elements please visit the DB structure article.
I installed document and document-ftp modules in my OpenERP environment as described in the OpenERP documentation for Document Management. Next I configured the filestore directory and printed some sample documents like quotations and invoices. All documents are created properly as attachments to the specific resource and appear also in the documents tree view and exists (with cryptic filenames) in the physical location filestore/db_name/....
But I can't figure out on how to configure the automatic (virtual-)folder assignment, lets say, all quotations appear under the virtual folder Sales Order/Quotations. This does not work even for the folders of type Folders per resource which are installed by the module itself. The Field Find all resources is checked.
Goolge for this topic now for days did not lead to any result. The OpenERP documentation for Document Management is unclear to me as I followed all the steps properly and still no luck: All virtual folders remain empty.
Does the content for the folders of type Folders per resource needs to be generated somehow somewhere?
Please can anyone of you guys point me to the right direction of what I am missing here?
I'm trying to check in changes to TFS using VS2013. When I hit the button to submit, TFS returns the following error, "TF14002: The identity {domain} \ {oldaccount} is not a member of the Team Foundation Valid Users group."
Background: my account name has been changed to {newaccount} from {oldaccount}.
When I first started working at this company I'm almost certain I set up my TFS with my old account. But I thought I deleted all that stuff related to my old account and reset everything to my new account. My lead tech has even shown me the account mngmnt screen with my new account name. And I've been able to check out items with my new account name.
I performed the following steps to try to "clean out" TFS:
• I copied all of my changed files to a back-up location.
• I undid all changes in TFS (note that TFS has been allowing me to check out files to edit).
• I deleted the TFS entry in Credential Manager per a suggestion online.
• I deleted my Workspace.
• I even deleted my TFS server.
• I Rebooted my computer.
• I reconnected to the TFS server.
• I rebuilt my Workspace.
• I restored my changed files from my back-up location.
At this point I tried checking-in my changes again but got the same error message as above.
Any suggestions?
Note that I do NOT have access to the TFS server, much less permissions to perform any sort of admin on it (and I don't know the person who would). So any suggestions beyond simply tweaking my computer will require a trip through the bureaucratic swamp.
One possible positive (related to this issue) is that we've been informed that a number of us need to downgrade from "Ultimate" to "Professional" so if your suggestion is to reinstall Visual Studio, the upside is that I'll be doing that soon anyway.
Thanks,
Doug
EDIT:
Additional Info: I deleted everything in this folder:
C:\Users\ ...\AppData\Local\Microsoft\Team Foundation\5.0\Cache
... but I'm still seeing the error.
UPDATE 1/24/2015:
I did finally "downgrade" from Visual Studio 2013 Ultimate to VS2013 Professional, but I'm still experiencing the same error. Might there be a table in the TFS database that still has an entry for my old account that could be joining to my computer name &/or new account name when TFS goes to look up my account info when I check in my changes? I am getting desperate for an answer!
An addendum: when the sys-admins changed my account name they did not update my computer itself, so I'm still using C:\Users\{oldaccount}. I can't believe that would make a difference but you never know....
UPDATE 2/27/2016:
Sorry for not updating this sooner. I resolved this issue with the help of our DBAs:
There is a table named Constants which contains the domain part and a field named “NamePart”. The resolution was to simply update “NamePart” to “{newaccount}” from “{oldaccount}”. This table also has an SID field which is the user’s SID from the computer’s Registry. You'd only change the SID if a new login to your computer was created. In my case, there was no new login account, just a change to my login account -name-, therefore, no new SID.
And a side note, for situations when one’s email is also spelled incorrectly, there is also the ADObjects table which contains a field named “MailNickName”. This field should be updated as well when a user name is misspelled. For instance, I had the DBA update that field to change “Dug#NotReal.net” to “Doug#NotReal.net”.
Updating the Constants table is imperative to making TFS work; updating ADObjects is only relevant if an alias isn’t included to forward mail from the one email address to the other.
I found a file called VersionControl.config inside of the
C:\Users\{username}\AppData\Local\Microsoft\Team Foundation\5.0\Cache\Volatile\ folder that had my old domain username in. Changed it to my new one and it started working again.
I was having the problem with shell integration, Visual Studio actually worked fine.
I should have posted my answer (update 2/27/2016) as an official Answer. I resolved this issue with the help of our DBAs:
There is a table named Constants which contains the domain part and a field named “NamePart”. The resolution was to simply update “NamePart” to “{newaccount}” from “{oldaccount}”. This table also has an SID field which is the user’s SID from the computer’s Registry. You'd only change the SID if a new login to your computer was created. In my case, there was no new login account, just a change to my login account -name-, therefore, no new SID.
And a side note, for situations when one’s email is also spelled incorrectly, there is also the ADObjects table which contains a field named “MailNickName”. This field should be updated as well when a user name is misspelled. For instance, I had the DBA update that field to change “Dug#NotReal.net” to “Doug#NotReal.net”.
Updating the Constants table is imperative to making TFS work; updating ADObjects is only relevant if an alias isn’t included to forward mail from the one email address to the other.
The above solution did not work for a developer in our company. On of my colleagues came with the simple idea to do a "undo checkout", which worked. After that the check-in en checkout worked well again.
I am extremely new to Ms-Access. I have a central back end access database in server computer. And all the users have the front end user interface installed on their system.
Now, whenever I make any changes to the interface in my local, i need to re-install the updated interface on each of their system. Is their any way that i can do so that i will make the changes only on my local and it will be automatically reflected on all the users' systems.
Thank you.
Ok there are a couple of options that you can do to either fully or paritally automate this process.
Partial Automation
If you don't have a lot of users and you don't want to do a great deal of coding you can write a simple batchfile or vbs file which you set up on the users desktop as an icon. Batch file code would show the following type of information.
#Echo Off
REM Copy your file from server location to local user machine
xcopy "F:\ServerDirectory\databasename.mdb" "C:\ClientDirectory\databasename.mdb" /E /Y /R
Set this up on the users machine as an icon and whenever you want them to update their front end ask them to double click the icon. This will overwrite their client with whatever you place in the location on the server. It is advisable to create all table links to the database back end having UNC paths as well.
I have used this successfully for various applications - I make changes to the front end place in appropriate location on the server and then do a quick e-mail to people just to ask them to double click the bat file icon.
Full Automation
Programmatically set version control up using visual basic so the client checks version number of the client against a server number and if the client is not the latest will download a new version.
This is more involved and full instructions are available here.
Front End Auto Update
When you deploy an MS Access solutions like this, you need to decide whether to share the client MDB file between all users, or distribute copies to each user. It sounds like you have taken the second option. Each choice has merits and disadvantages. If you stay with the current approach, you might look at a scripting option to deploy updated client MDB files between users.