Hi All Is there any reason why an ID when placed in Administ...

[Naeem Sufi 3]

Hi All

Is there any reason why an ID when placed in Administrator Group , will not see the Admin Menu options

After install it shows Administrators and Group , I added an ID in this Group, when this ID is logged on the Admin menu does not show This ID is also in the Admins Group on the Reporting server and can see the Admin Options

Anyone had this issue, please share

Thanks

[David Hall 5]

I have seen this happen.

It turns out they are defined somewhere else as another level user

I am not sure if it is first or last one that is picked up.

Also I asked about this and was told there is a timing issue. where on the WFC side the group membership report does not refresh automatically. and may take some time.

[Naeem Sufi 3]

Thank you David I contacted Support and they said there is an issue in this release ( 8207.28.06) and there is HotFix to get this resolved . I applied the Hotfix and Now the id can see the Reporting Server Admin Menu but not the WFC Admin Console Using the Root_user ID I can see now Reporting Server Admin Console and then WFC Admin control You are right that somewhere the Admin ID is at a different security level

[Jean-Claude Carriere 3]

Pretty strange. Im assuming you tried to close down completly your browser before signing back (after the user has been added to the Admin group). Group membership are cached on the WebFOCUS Client per user sessions

Also did you tried to go the Administration Console (from an admin account who has the menu options) and tried to clear cache.

[Toby Mills]

Hi Naeem

Wondered if you got to the bottom of this.

If not, I had some ideas rattling around the brain to pass on. Youve probably already tried some of this. Also - be warned, I can be long and rambling while rooting around. Its probably going to be a lot to read and I dont have a conclusion to the questions Ill be asking while rooting around

First - lets go work from the Legacy page instead.

 

image.png748375 31.5 KB

 

See if you can launch the Admin console from the Legacy page:

 

http://yourmachine.domain.com/ibi_apps/admin

My guess is that this will not work, but maybe youll get a different error message or something that helps.

Lets suppose it doesnt work. Then we think it might be a security issue in the rules of WebFOCUS somewhere.

I hunted on the /ibi_apps/wfirs/utilsIBFS_action=operationRoleMap page to find a privilege having to do with the Admin Console and found this:

 

opWFAdminConsole privilege.

Clicking on it shows the Role where this priv is mentioned.

 

image.png169984 13.6 KB

 

Interesting. I always thought we just used SystemFullControl with Overpermitted starting at the very top of the repository and that would do everything. Maybe it doesnt work like I thought

Lets see if we can figure anything else out from here. Make the Legacy page show you the Repository tree in Full View by right clicking and choosing Full View:

 

(youll notice that by default, its in Repository View - you will change this back to the normal view when youre done nosing around).

The Full View shows you the repository structure. The folders listed here are also called subsystems.

The one were interested in is /CFG. Its messy to open up, but if you do, youll see all the variables you can set in the admin console now live under here.

Let check on the Rules that exist for the /CFG area:

 

 

image.png1219228 15.9 KB

 

I guess thats expected - the Role of WebFOCUS Manager has been given to a Group called Managers. This is new to me - I clearly have not been paying attention. Im used to thinking about Administrators doing this kind of work.

This may be redundant, but lets review how Administrators get to have SystemFullControl in the Repository. You can close that box showing the Rule for /CFG. This time, lets go look at the very top of the Repository and look at the Rule established way up there (its called TIBCO WebFOCUS now):

 

 

image.png1202154 13.6 KB

 

This is the Rule that makes the Administrators Group so powerful. SystemFullControl Over Permitted on all Folders and Children. Now youd think this would mean people in the Administrators could manipulate the /CFG folder and children.

Just in case though, I guess you could try to check the Effective Policy down at the /CFG area for the specific user thats not working for you.

Thatd go like this (Ill use admin as a generic administrator):

Right click /CFG and choose Security/Effective Policy:

 

In the bottom left corner of the box that pops up, it looks like we need to check the box that says to Show all Privileges. There arent many listed by default:

 

image.png632736 30.6 KB

 

Now to get the real story, we need to get down to specifics. In the top left box, choose your User ID to check on (Ill use admin). Then lets find the Display Administration Console privilege that we saw on the Role map page earlier and click on it. Thatll make the Effective Policy decision tree light up on the Right side of this dialog box:

 

image.png868322 24.7 KB

 

Now the right side tells me that Admin is allowed to Display Administration Console because

 

image.png952191 11.3 KB

 

The User Admin is member of Administrators. And Administrators are Over Permitted with SystemFullControl (start at the top and work your way down). Remember its Folder and Children for this Rule, so thats why he can mess with the /CFG folder and its children.

I wonder - for your user who cant DIsplay Administration Console - what does this look like for him

Also - doesnt it make sense that you could make your own new rule to add him if you needed to Or try just making sure that user is a member of the Managers Group (since a Rule already exists for that Group)

I have a Group in Security Center called Managers, but nobody is in it.

 

Try adding your problem User to the Managers Group (assuming you have the same Manager Rule that I do at the /CFG level) and see if that does something for you

Let us know if any of that helps!

[Naeem Sufi 3]

Thank you Toby for the Detail reply . I had already checked couple of things as you mentioned above the issue in my case was I had clicked External Only . under the Security tab After I selected Internal and External , admin menu started to show up

 

image.png831133 2.84 KB

[Toby Mills]

That would do it! Glad you figured it out.