Read only access issue

Hello,

we have been using a administrator account for some time now but we now need to create some users with read only permissions. After going into administrator > system-wide > permissions management. We had created a ‘Read Only’ role and added a user into that role within User management… but we needed to add that user into TN administrator and My web-methods roles so they can actually view the transactions in B2B. Although by doing this it has kept the resubmit and reprocess options , which we do not want. Also if we removed the two roles (TN administrator and My web-methods) it will throw out this error…

“No server configured.Please contact Administrator”

Can this be amended?

We are running MWS 9.5

Thank you

Hi Bradley,

removing predefined Roles is not recommended as this might corrupt the MWS at all.

Which MyWebethods Roles did you remove exactly?

For the “Read Only” role you should only grant the neccessary Access rights, but no Functional rights.
User should only be member of the “Read Only” role which needs to be added to the “TN MWS Users” ACL on IS.

Regards,
Holger

Hey,

I have not removed any roles from the system just took a user off of them hoping to solve the issue, I have placed the user back on them (My webmethods users, TN Administrator and TN MWS User) and added them to the Read only role. I have set all of the functional rights to deny yet the user can still resubmit files, we thought the other roles were taking priority over the one we made.

I have attached some screenshots, If you require any other information just let me know.

Thank you

Screenshot_2.png

Hi Bradley,

please provide the screen shots for the ACL settings from IS for the TN Administrators and the TN MWS Users ACL.

Please try to remove the user having Read Only privs from TN Administrators Role and see what happens.

Remember that IS is caching informations from Central Users directory (MWS) for one hour by default.

Regards,
Holger

Hi,

I have taken off the TN administrator role from the user and it comes with the error message I had mentioned earlier on. (Please see screenshot below, also here are the screenshots of the ACL’s hopefully this will shed light on this issue.

Thanks


Screenshot_5.png

Hi Bradley,

please modify the ACLs on IS side and add your ReadOnly Role there.

This will allow the ReadOnly Users to invoke the services on IS side to get the data from the database.
But this will not allow them to perform any actions in TN UI as they do not have any functional privileges.

Regards,
Holger

Hi thanks for the response I have created the group within our test IS and added my chosen user who I want to have the permission denied like I did with MWS. Then I placed the Role into the denied area of the ACL, I still have the same issue what else needs to be done? Does my group need to added to any other ACL’s within IS?

Thanks again

Hi Bradley,

looks like there is still a misunderstanding how this concept works between IS and MWS.

You will not need any local custom groups on IS.
You will have the users stored in MWS and define the appropriate group or role there with proper permissions for MWS UI.
In IS this group or role should be added to the Allow list of the TN ACLs via central user management.

Make sure that you have assigned the MWS databse schema to a jdbc pool which is mapped to the “Central Users” function.

When editing ACLs in IS select “Central” instead of “Local” and search for your “ReadOnly” group or role.

Regards,
Holger

Hi apologies for the delay,

I have done the following so far with the ACL, I have placed the ‘system’ Read only role into the TN administrator ACL and saved the changes but I am not sure what I edit in the central JDBC pool so that its mapped to the MWS schematic? I am just worried I may do something incorrect.

Thank you Kindly

Hi Bradley,

in this pool you must specify the same schema that is mentioned in MWS/server/default/config/mws.db.xml.

This can also be check in the MWS UI under Administration → My WebMethods → DataSource Settings for the datasource system.

Regards,
Holger

Hi

Just to be clear before I change this I will take the URL from the current MWS (mws.db.xml) config URL and paste it into the central JDBC pool alias and save the changes?

URL in the XML
jdbc:wm: oracle://ualqsop1.ugc:1521;serviceName=ulwmintp.world
Current URL in central pool that is being changed
jdbc:wm: oracle://uclmadq1.ugc:1521;serviceName=ulwminta.world

Thanks


Screenshotgg.png

Hi Bradley,

these URL need to point to the same database host and schema.

Primarily this need to be the MWS to which the WmMonitor package is pointing too as well as the SAML Resolver URL in the Settings section.

Regards,
Holger

Hey sorry turns out the URL are the same on the central JDBC pool and config file. I was looking from our live environment hence the different URLs.

I have done everything suggested created the role on MWS, then edited it within permissions management removing/denying all functional rights, then I have added that role from central provider into each ACL I think my user account is related to. Yet my user account can still resubmitted transactions.

Sorry for the inconvenience

Thank you

Hi Bradley,

the permissions for the tasks are separated from those for the general MWS privileges.

Under the Permissions Tab select “Tasks” instead of myWebmethods Applications and select the affected Tasks.
Then proceed to the next page and select the appropriate rights there.

Regards,
Holger

Hi,

it appears that I would of done this in the first place but the task tab has no resources located inside of it, is their a way of adding a task type ID to the task resource?

Thanks again

Hi Bradley,

did you perfom a “Search” explicitly?

When switching the perspective from “webMethods Applications” to “Tasks” the list of deployed tasks is not loaded automatically.

Regards,
Holger

Hi,

yes I did run the search command which is why I’m unsure why we did not have receive any task Id’s.

Thanks

Hi,

would it be possible to create the deployed tasks? Should we have them by default, also when I attempt to search for them now I receive a invalid session token error. Please see screenshot.

Thanks

Hi Bradley,

please check your TaskEngine and TaskClient configuration.

Regards,
Holger

Hi,

we got it to work I just needed to configure my read only role in the TN server and removed the standard TN administrator from said user and it worked fine.

Thanks you for your help