administrators and scurity

Hello,

I went through the chapter “Tamino Security” of the “Tamino Manger Documentation”, and while reading the paragraph “Protecting ino:security”,
I created a user “secadmin” within the user group “secgroup” with the corresponding acl “secacl”, where there is “full” access to “ino:security”.
I also created a group “SDOTest”, which is the name of my database. For this group I created a acl “defaultacl”, which has “no” access to “ino:security”.
After I switched the XML-property authentication to “tamino” and restarted the database, I couldn’t modify any of the items user, user group nor acl. I cannot even have a look at already created users, instead I get an “access violation” error.

So my question is, how can I get access rights back?

After this happened, i saw at the end of the chapter the following note:
“When using the Security Manager, the user who is logged into the System Management Hub must have the privileges to make changes to ino:security. This means that an administrator must be defined in Tamino before the Authentication mode is switched to “tamino”.”

Has my problem something to do with this note?
If yes, why is this note stated at the end of the chapter and not at the beginning?

I tried to switch back the authentication mode to “web server”, and then I don’t get an “access violation” error message, but no already created users, user groups nor acl are displayed. If I try to create a new user, I get following error: “INOXDE7708 Invalid root error”.
If I try to create the user “secadmin” again, I get the error: “INOXXE8610 Definitions for ino:userid, ino:groupname, and ino:aclname in the collection ino:security need to be unique”, which seemes to be correct, because I created this user before.
But why aren’t any users displayed at all?

Can anybody help me?

Regards
Marcel

PS: I’m using:
Tamino 4.1.1.1
Apache 2.0.43
Win 2000

Hello Marcel,

the problem is, just as you quoted from the documentation, that the Security Manager is limited to accessing data which you have access permissions to, since it is basically an application which allows you to change the contents of the collection ino:security. So if you want to use the Security Manager, you should add the user which you are using to log into the Tamino Manager to the group “secgroup”. The user information that you use to log into the Tamino Manager will be passed on to Tamino and then you will be able to administer the users and access permissions stored in ino:security.
The messages presented by the Security Manager are the messages that are produced by Tamino, so they are not very user-friendly, since Tamino behaves as if the data does not exist, if you are trying to read data that you don’t have permissions for.

regards,
Heiko Weber

Thanks for your reply Heiko.

You tell me, I should add the user, who is logged into the Tamino Manager, to the user group “secgroup”.
The problem just is, that I cannot create or add any users after I switched to authentication mode to “tamino”.

Am I right, that I cannot change anything within the Security Manager after I did the mistake not creating the user for the Tamino Manager having access rights for ino:security?

Do I have to create a new database and take care that I don’t make the same mistake again or can I repair my current database?

As in Tamino XML-documents are stored “natively”, is there an XML-document with my created users and groups which I can edit and modify in an editor?

Regards,
Marcel

Hi Marcel,

what you can do (if you are the administrator of the Server where the Tamino DB is running on), create a user ‘secadmin’ on your local machine (which is done by selecting the Start button of your Windows, then select Settings/Control Panel/Users and Passwords. Now select ‘Advaced’ and press the ‘advanced’ button. Now go into the ‘Tree’ and select ‘Users’. Press the right mouse button and select ‘New User…’. Add the Username and password and remove the selection from ‘User must change password at next logon’ but select the ‘the password never expires’ check box. Then press ‘create’. Now the user has been created).

Now open the Tamino Manager and login with the userid and password that you used for login the Tamino Manager at the time you created the ‘SDOTest’ database. After you have done the login, open the ‘Administrators’ node, select ‘Tamino’ and select ‘Add Administrator’. The ‘Add Administrator’ window is opened now. Write ‘secadmin’ in the text field and press ‘ok’. After creating the new administrator select your server under the managed hosts in the tree and press the ‘Login As…’ button. Do a login as ‘secadmin’.

Now it should be possible to update the ino:security via the Tamino Manager.

Important to know is, the user doing the login at the Tamino Manager is used for doing the admin calls to Tamino via the Tamino Manager. Which in fact means that this user has to be created under the Tamino users (ino:user) and has to have full access to ino:security.

regards Eckehard

p.s. if you still don’t get it to work and you have important data in the database, call the Tamino support, they are able to help. If dont’t have important data in the database the most easiest way would be to delete the database and create a new one.