Deployer : Access Denied and assignACLs

Hello,

we have an issue when trying to deploy (through WmDeployer) BPMs, services and doc types.
We get this error:

[1249] at com.wm.deployer.deploy.SystemIS.deployAllAssets(SystemIS.java:151)
[1248] at com.wm.deployer.deploy.SystemIS.suspendAdapters(SystemIS.java:649)
[1247] at com.wm.deployer.deploy.utils.SystemISUtil.stopAdapters(SystemISUtil.java:85)
[1246] at com.wm.deployer.deploy.utils.ISTriggersUtil.suspendAdapterNotifications(ISTriggersUtil.java:955)
[1245] at com.wm.deployer.deploy.utils.ISTriggersUtil.isAdapterSuspendOk(ISTriggersUtil.java:2045)
[1244]com.wm.deployer.common.DeployerException: com.wm.deployer.common.DeployerException: [ISC.0064.9314] Authorization Required: [ISS.0084.9004] Access Denied
[1243]2016-01-29 11:22:49 CET [DEP.0005.9999E] Exception: com.wm.deployer.common.DeployerException: [ISC.0064.9314] Authorization Required: [ISS.0084.9004] Access Denied
[1242]2016-01-29 11:22:49 CET [DEP.0005.1007E] The following exception occurred while attempting to process "myDeploymentMap": "com.wm.deployer.common.DeployerException: com.wm.deployer.common.DeployerException: [ISC.0064.9314] Authorization Required: [ISS.0084.9004] Access Denied"

By increasing logs levels, we have seen an access denied for user “local/Default”.
We tried to add this user to Administrators group and the deployment goes further… but this is not a clean solution…

Going further, we get another issue :

2016-01-29 15:27:25 CET [DEP.0005.9990D] The Read'Anonymous' for node: 'CNV_CommonTrtLots.docs:CtxDemand' was deployed to or already exists at the target: ':5555'.
2016-01-29 15:27:25 CET [DEP.0005.9990D] Starting private acl assign 'wm.deployer.resource.gui.IS:assignACLs'
2016-01-29 15:27:25 CET [DEP.0000.9999D] Exception --> wm.deployer.resource.gui.IS:assignACLs
com.wm.deployer.common.DeployerException: wm.deployer.resource.gui.IS:assignACLs
        at com.wm.deployer.deploy.utils.Util.processNotClusterInvokeAll(Util.java:447)
        at com.wm.deployer.deploy.utils.Util.invokeService(Util.java:428)
        at com.wm.deployer.deploy.utils.Util.invokeService(Util.java:345)
        at com.wm.deployer.deploy.utils.ISACLsUtil.processDeployedACLs(ISACLsUtil.java:684)
        at com.wm.deployer.deploy.utils.ISACLsUtil.deployISNodeACLs(ISACLsUtil.java:532)
        at com.wm.deployer.deploy.utils.ISACLsUtil.deployNodeACLs(ISACLsUtil.java:188)
        at com.wm.deployer.deploy.SystemIS.deployNodeACL(SystemIS.java:281)
        at com.wm.deployer.deploy.SystemIS.deployAllAssets(SystemIS.java:184)

I cannot understand this issue.
Moreover the document type “CtxDemand” has no specific ACLs…

Plateform configuration looks OK : IS Admin/MWS (WmMonitor configured…) and IS BPM (Settings > Resources > SSO with MWS…).
We have also tried builds with and without ACLs included (ignore, add, exist) without success.

Any help would be appreciated…

Thanks

Hi Benjamin,

are you using custom ACLs and/or users from Central User Management?

The User configured in the Remote Servers needs to be member of the (custom) ACLs otherwise they cannot not assigned on the target server.

Additionally predefined ACLs should not be deployed/overridden, but customized before manually if needed.
Set them to “Exists” when resolving dependencies.

When using Central User Management and you run Deployer with one of these users please add them to following ACL:
DeployerAdmin ACL

Regards,
Holger

We are not using any custom ACLs :?

Hi Benjamin,

then you should not have any issues with Deployer when setting the dependencies on the predefined ACLs to Exist.

With which User are you logged in to the IS when trying to deploy?

Regards,
Holger

I have faced similar kind of issue with deployer where i was not able to list project in deployer page.

i was able to resolve issue with assigning user to Internal ACLs. just give it a try and see if that resolve your issue.

Try to log in with Administrator and setting the dependencies on the predefined ACLs to Exist.

I didn’t see such a behaviour till 8x, but giving Admin access to local user is not right option. Kindly reach SAG to know the facts.

Thanks,

Hi,

assigning the custom user to Internal ACL and DeployerAdmin ACL should be sufficient, no general Admin Access is needed.

Membership in Internal ACL (or the ACL the RemoteServer uses) is explicitly needed for the target Server, otherwise the custom ACLs (i.e. for WebServices) are not assigned properly.

Regards,
Holger