Adding privilege to USER/USRG throws "Missing privilege"
search cancel

Adding privilege to USER/USRG throws "Missing privilege"

book

Article ID: 427655

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

When attempting to update a USER or USERGroup object and add a privilege, an error comes up: Missing privilege

WP logs may include something like:

U00004514 Access trace: User: 'USERNAME/DEPT' Privilege: '[Missing privilege]'.

 

This can also happen when importing an .xml export, where messages may show:

Import Log

Starting import of object '[IMPORTED_USERNAME]/DEPT'
Object '[IMPORTED_USERNAME]/DEPT' does not yet exist. Object will be created.
U00004518 Missing privilege
U04005760 Errors occurred while importing object '[IMPORTED_USERNAME]/DEPT'.

 

Importing a transport case may show:

Import Log

U08230190: persistence failed
U09 'Missing privilege': Access denied: [IMPORTED_USERNAME]/DEPT

Environment

Automation Engine: 24.1 and higher

Cause

If the user who is attempting to add the privilege to the ADMIN group does not already have that privilege, this error will occur.  You will need to use a user who has the privilege to add the privilege - this is a security measure that was added to the product in 24.1:

Least Privilege Requirement for Granting Privileges to other Users

As of this version, administrator users with the right to define other Users' privileges will not be able to grant privileges that they do not have themselves. A new internal check guarantees that this restriction is honored system-wide, that is, everywhere where modifying User objects is possible: AWI, Java API, REST API, XML import.

Administrators who have created Users with more privileges than themselves in previous versions will still be able to view those User definitions, provided they have the necessary rights. However, they will not be able to modify them.

For more information, see Granting Automation Engine Privileges.

Resolution

The best way to add the missing privileges is to use a user or usergroup either in the client you're in that already has the privilege, or by using a client 0 user that has the privileges (the UC/UC user will have this privilege for example) and do the following:

  • Open the Administration perspective
  • Go to Users
  • Open a USER object that is an admin in the client where you are attempting to grant the privilege.  
  • Give the USER the missing privilege that should be added to the usergroup as well and Save
  • Log into the non-zero client as the admin user with the missing privilege
  • Assign the privilege to the ADMIN usergroup and save the changes
  • Remove the privilege from the single user (they will still retain the privilege if they are a part of the ADMIN usergroup)
Powered by Wolken Software