DUAS6: commands returns error: "abandon" or "Access denied error" or "Non-existent task"

Products

CA Automic Dollar Universe

Issue/Introduction

Some commands like "uxordre" or "uxadd fla" fail when launched the command as a specific system username.
Same commands work when launched as the Dollar Universe Administrator / root or some specific users.

Example of the command that fails when launched as username:

$UXEXE/uxordre tsk=TASKNAME mu=MUNAME param=test
(Technical info is absent: abandon)

or

$UXEXE/uxordre tsk=TASKNAME mu=MUNAME param=test
Non-existent task

Or:
$UXEXE/uxadd fla tsk=TASKNAME mu=MUNAME pdate=08/01/2018
Access denied error
command in error!!

Environment

Component: Dollar Universe 6
Operating System: All

Cause

The System User Pattern (proxy) is mapped to a Group that does not have enough permissions to execute the required Operation.

In order to find the root cause, the main log level needs to be increased to 0,SECURITY so that we can see what specific "Role" has been used and what permission is denied.

Example:

Increase the Main Log Level to 0,SECURITY via UVC or via the command line

unisetvar U_LOG_LEVEL 0,SECURITY

Then relaunch the command that fails and check the universe.log, you should see the following kind of lines that should tell you which Role / Permission is provoking the error:

|TRACE|X|IO |pid=p.t| owls_init_client | Client uxordre proxy is: [SYS] [hostname\username]
|TRACE|X|IO |pid=p.t| getSecurity | 25 security patterns available
...
|TRACE|X|IO |pid=p.t| IsMatchProxyFilter | System user HOSTNAME\USERNAME matches pattern */*\*
|TRACE|X|IO |pid=p.t| getSecurity | Client uxordre username on hostname.domain has 4 security roles
...
|INFO |X|IO |pid=p.t| o_check_security | GRANTED ACCESS: role(DUAS TST600/X Read-only) -> this is the role that corresponds to the username that launched the command
|INFO |X|IO |pid=p.t| owls_check_security | Security denied for OBJ(LAUNCH) OPER(CREATE) -> this is the operation that is denied due to the role applied

Resolution

By default, when UVMS is installed, there is a default System User Pattern that allows Operators operations to every System User.

Sometimes, Dollar Universe Admins prefer to restrict this permissions and assign the group "Read-Only Users".

As a result, unless a specific "System User Pattern" is created for the user that should launch commands like "uxadd fla / uxordre..." and mapped to a Group with Roles that allow it, the commands will fail.

To fix it, create a "System User Pattern" for the user that will launch the command, here you have an example where we will map the user called "username" to the group "Operators":

Then perform a "Full Synchronization" of the node so that this new proxy is pushed to the node.

Finally, relaunch the command that was failing, this time it should work.

Additional Information

If the node was installed with a user account other than root and the issue persists, try to assign the node to the user root with the following:

Login as root
Load the Dollar Universe environment:
```
. /path_to_dollar_universe/unienv.ksh
```
Stop the node:
```
$UNI_DIR_EXEC/unistop
```

Assign the node to the root user:

$UNI_DIR_EXEC/uxrights -m assign -a root

Start the node:
```
$UNI_DIR_EXEC/unistart
```

If the UVC user is on a UVMS Subordinate, and you obtain this kind of trace:

Client UniViewer700 UVCUSER on uvc_workstation has 0 security roles

This means that the User to Group mapping may be wrong, to fix it connect to the UVMS Master as a UVMS administrator user and double-click on the UVMS Subordinate and click on "Full Synchronization", after 30 minutes or so, connect to the UVMS Subordinate and click on "Full Synchronization" on the impacted Node and then the user should no be able to perform the needed action provided that the group that he belongs to, has the required roles.