DUAS6: commands returns error: "abandon" or "Access denied error" or "Non-existent task"
Article ID: 112625
Updated On:
Products
CA Automic Dollar Universe
Issue/Introduction
Some commands like "uxordre" or "uxadd fla" fail when launched the command as a specific system username.
Same commands work when launched as the Dollar Universe Administrator / root or some specific users.
Example of the command that fails when launched as username:
$UXEXE/uxordre tsk=TASKNAME mu=MUNAME param=test
(Technical info is absent: abandon)
or
$UXEXE/uxordre tsk=TASKNAME mu=MUNAME param=test
Non-existent task
Or:
$UXEXE/uxadd fla tsk=TASKNAME mu=MUNAME pdate=08/01/2018
Access denied error
command in error!!
Same commands work when launched as the Dollar Universe Administrator / root or some specific users.
Example of the command that fails when launched as username:
$UXEXE/uxordre tsk=TASKNAME mu=MUNAME param=test
(Technical info is absent: abandon)
or
$UXEXE/uxordre tsk=TASKNAME mu=MUNAME param=test
Non-existent task
Or:
$UXEXE/uxadd fla tsk=TASKNAME mu=MUNAME pdate=08/01/2018
Access denied error
command in error!!
Environment
Component: Dollar Universe 6
Operating System: All
Operating System: All
Cause
The System User Pattern (proxy) is mapped to a Group that does not have enough permissions to execute the required Operation.
In order to find the root cause, the main log level needs to be increased to 0,SECURITY so that we can see what specific "Role" has been used and what permission is denied.
Example:
|TRACE|X|IO |pid=p.t| getSecurity | 25 security patterns available
...
|TRACE|X|IO |pid=p.t| IsMatchProxyFilter | System user HOSTNAME\USERNAME matches pattern */*\*
|TRACE|X|IO |pid=p.t| getSecurity | Client uxordre username on hostname.domain has 4 security roles
...
|INFO |X|IO |pid=p.t| o_check_security | GRANTED ACCESS: role(DUAS TST600/X Read-only) -> this is the role that corresponds to the username that launched the command
|INFO |X|IO |pid=p.t| owls_check_security | Security denied for OBJ(LAUNCH) OPER(CREATE) -> this is the operation that is denied due to the role applied
In order to find the root cause, the main log level needs to be increased to 0,SECURITY so that we can see what specific "Role" has been used and what permission is denied.
Example:
- Increase the Main Log Level to 0,SECURITY via UVC or via the command line
- Then relaunch the command that fails and check the universe.log, you should see the following kind of lines that should tell you which Role / Permission is provoking the error:
|TRACE|X|IO |pid=p.t| getSecurity | 25 security patterns available
...
|TRACE|X|IO |pid=p.t| IsMatchProxyFilter | System user HOSTNAME\USERNAME matches pattern */*\*
|TRACE|X|IO |pid=p.t| getSecurity | Client uxordre username on hostname.domain has 4 security roles
...
|INFO |X|IO |pid=p.t| o_check_security | GRANTED ACCESS: role(DUAS TST600/X Read-only) -> this is the role that corresponds to the username that launched the command
|INFO |X|IO |pid=p.t| owls_check_security | Security denied for OBJ(LAUNCH) OPER(CREATE) -> this is the operation that is denied due to the role applied
Resolution
By default, when UVMS is installed, there is a default System User Pattern that allows Operators operations to every System User.
Sometimes, Dollar Universe Admins prefer to restrict this permissions and assign the group "Read-Only Users".
As a result, unless a specific "System User Pattern" is created for the user that should launch commands like "uxadd fla / uxordre..." and mapped to a Group with Roles that allow it, the commands will fail.
To fix it, create a "System User Pattern" for the user that will launch the command, here you have an example where we will map the user called "username" to the group "Operators":
Then perform a "Full Synchronization" of the node so that this new proxy is pushed to the node.
Finally, relaunch the command that was failing, this time it should work.
Sometimes, Dollar Universe Admins prefer to restrict this permissions and assign the group "Read-Only Users".
As a result, unless a specific "System User Pattern" is created for the user that should launch commands like "uxadd fla / uxordre..." and mapped to a Group with Roles that allow it, the commands will fail.
To fix it, create a "System User Pattern" for the user that will launch the command, here you have an example where we will map the user called "username" to the group "Operators":
Then perform a "Full Synchronization" of the node so that this new proxy is pushed to the node.
Finally, relaunch the command that was failing, this time it should work.
Additional Information
If the node was installed with a user account other than root and the issue persists, try to assign the node to the user root with the following:
- Login as root
- Load the Dollar Universe environment:
. /path_to_dollar_universe/unienv.ksh
- Stop the node:
$UNI_DIR_EXEC/unistop
- Assign the node to the root user:
$UNI_DIR_EXEC/uxrights -m assign -a root
- Start the node:
$UNI_DIR_EXEC/unistart
Attachments
Feedback
Yes
No
Powered by
