on 03-07-2006 1:34 AM
I am attempting to set permissions for developers under different project workspace folders. I am the DTR administrator and have done all initial configurations at the root and system level as per the SAP help documentation after creating a "New DTR Client". I have a workspace folder /ws/XYZ. I gave user USER1 full privileges to /ws/XYZ so that he can do development on that specific project.
But USER1 is unable to create an activity during the process of a new DC creation. Here is the error I get
17:33:13.319 FAILED: Creating activity failed: act_w_JDITEST1_intel_JDI_TEST_dev_inactive_u_bvedamur_t_2006_03_07_01_33_13_GMT_97971c06-3fbb-47b4-b1b1-a693fcc0ceb9 - Forbidden [(pre||post)-condition failed: DAV:access-denied]
USER1 has "NWDI Developer" access and has been assigned all privileges under /ws/XYZ. What am I missing here.
Appreciate any help.
Thx
Bhaskar
Hi Bhaskar,
Are you manually creating Workspace folders.
Regards
Sidharth
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No, I am not manually creating workspace folders at this point though I intend to work on it in the future.
A couple of us with NWDI Admin and DTR Admin access and full access at the DTR root (Y_NWDI_ADMIN_DTR_G group had full access at the root level) had created a few DC projects (J2EE and webdynpro) few weeks back. I see the workspace folders created for these DC projects. Now I am trying to provide specific users developer access to these folders.
These users have NWDI Developers access and have all privileges at the workspace folder level. But when these users attempt to create a DC (and an activity during the process) they get the above mentioned error
Thx
Bhaskar
Message was edited by: Bhaskar Vedamurthy
Hi Bhaskar,
I assume here that you have reset the ACL's for the root using the DTR Admin plugin. If this is not the case do let me know.
Just assigning the priviliges to the Workspace folders will not suffice.
YOu may have to give appropriate permissions to /ws/System folder also.
Try giving read write and checkin priviliges to this folder also.
Regards
Sidharth
Thanks for the quick response. Two questions
o What do you mean by ACL reset. And yes I am using the DTR plugin to assign permissions from NWDS
o Why do I have to give DEVELOPERS permission to the ws/system folder. Only the Administrators should have read,write,access to this folder, isnt it. Thats what this link says
<a href="http://help.sap.com/saphelp_erp2005/helpdata/en/08/83d93f130f9215e10000000a155106/frameset.htm">Granting Initial Privileges</a>
Rgds
Bhaskar
Hi Bhaskar,
I assume that this user doesn't have SAP_SLD_DEVELOPER rights, just check whether he is assigned to the SLD Developer assess group (Visual Administrator).
Also you can check whether he has access from the NWDS -> Windows -> Preferences -> JDI -> Developemnt Configuration Pool -> URL should point to the SLD server; http://<host>:<port>;
When you click on Ping server (and you are loged in to the DTR with the desired developer user) you should have message saying "Ping was successful, and you should see the SDL server URL, if you see message saing 403 Error than this developer ismissing from the SLD assess list. Common problem when the SLD is running on different box than the DTR.
Kind regards, Angel
Hi Bhaskar,
ACL is set of priviliges that have been assigned for a particular resource to a principal. This principal may be a user or a role or a group in UME.
DTR does not carry out any authorization unless you set the ACL's for a particular resource for the first time. As you mentioned after creating the track you changed the ACL's (granted/denied priviliges) for a particular Workspace folder. However for a developer to carryout development some further settings are required.
Yes you are right only Administrator should have all rights to this resource /ws/System. Sorry made a mistake there.
You will have to give WRITE and CHECKIN to /act and WRITE to /wr /ws /vh. Please give this to all the developers that are doing the development.
Regards
Sidharth
p.s. I wrote what i knew but didnt ask whether you have changed the permissions using the permissions view of DTR perspective. This whole idea is valid only if you have done so. Thanks
Message was edited by: Sidharth Deshpande
Hi Sidharth,
I saw this section in the SAP help doc, but couldnt quite figure out where where these resources are (/vh, /wr, /act, /ws, /wsh). All I see is the root, system and project ws folders.
This possibly explains why I am unable to create an activity (no write or checkin permission to /act) and may fix it.
Thx
Bhaskar
Hi Angel,
I have contacted our admins to confirm that we have SAP_SLD_DEVELOPER access, but I am guessing I have it as I have been able to successfully import dev configurations.
Also, the SLD server PING works fine as well (seeing message "Ping was successful" and the URL). Anything else you can think of.
The permissions to /act, /ws resources that Sidharth suggested could be the reason, I havent tried that yet. dont know how
Thx
Bhaskar
Hi Bhaskar,
What you need to do is open the permissions view by right clicking anywhere in the Repository explorer and selecting menu View Permissions.
Then on the title bar of the permissions view window you will see an arrow which when clicked has a menu item view URL.
In the URL give the path as http://server:port/dtr/act/ and click OK.
Now grant the check-in access to all the users. Similarly grant further permissions to /vh /vr etc.
Activate the permissions. You may use the URL http://<server>:<port>/dtr/sysconfig/support/AclRefresh
and choosing Refresh. This takes some time. Around 5 to 6 minutes. Then try again. It may also help if you can restart server again. Some problems are solved this way :-).
Regards
Sidharth
THANK YOU Sidharth. I gave the reqd permissions to ALL users on all these folders and it works now. Just 2 minor questions -
Is it a good idea to grant ALL users or should I do this only for the developer group (Y_NWDI_DEVELOPER_G).
Is it ok to give write access (to developers/ALL) at the /ws level as this would give every developer access to create any workspace folder manually if they wish.
Rgds
Bhaskar
Hi Bhaskar,
Follow these rules when assiigning the previliges:
Authorizations for the DTR Client
With these settings, you can use the client to display the content of a DTR.
/ - read
/vh - read
/ws - read
/wsh - read
In order to make changes (create files, check in activities, upload files, and so on), you need these extra permissions:
/act - read, write, checkin
/wr - read, write
/vh - write
/wr - read, write
In addition, every user needs the privileges read, write, and checkin for the resources to be changed, and the checkin privilege for the respective workspace.
BTW: It's not a good idea to give full rights to every developer, the access to the different tracks should be given by the power user/manager or NWDI administrator regarding the SC/Track lifecicle.
Also you need to follow the ACL rules:
Rule 1 final Before All Children
Rule 2 ignore inheritance
Rule 3 Child Before Parent
Rule 4 user before group
Rule 5 deny before grant
And be careful with the deny rule as it's very powerful and overwrites all other rules.
No developer should have access to /ws/system
If you use "deny All users" to some resource, be sure that you give explicit access to Admin user to this resource as rule "user before group" is before "deny before grant".
(help.sap.com)
Regards, Angel
Message was edited by: Angel Dichev
I started this whole exercise with the intention of restricting developer access in each of the project workspace folders.
The SAP help has a typo where it says /wr -read,write twice. I think one of them is supposed to be /ws. Now thats where I had concern. Yes I dont want developers to create ws folders, but that contradicts with the above instruction (/ws - read,write) provided in SAP help doc.
Thx
Bhaskar
Hi,
I am getting same error with different description. "Internal Server Error"
<b>15:04:24.864 FAILED: Creating activity failed:
act_w_ESSTrack_sap_2e_com_SAP_ESS_dev_inactive_u_cmsadm_t_2006_03_27_20_04_24_GMT_4c70cf2f-7641-4838-96f7-8bf58a5b6450
- Internal Server Error</b>
Can anyone please tell me what the problem is. I was able to create activity till now. Suddenly it stopped wotking.
Thanks
Santhosh
This thread supplies some good clues to the issues we are having.
We tried to add permissions to /act. It is currently set with READ access to <all users>.
When we try edit this ACL to include other privleges, we get "Modification of inherited ACE not allowed". The Inherited From field is set to "/"
When we try to add a Principal we get "Getting Activity Failed".
When we go back to the permissions editor for "/" we see that there is only one principaly <all users> with read access only.
Herein lies the problem! It seems we need to (re)set the root back to include all permissions.
Does anyone know how (if) this can be done?
Cheers ... Bart
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Bart,
Seems you locked the system by assigning "read" access to all at the root. Should have assigned an admin user at the root with full access as the "Granting Initial Privileges" under help.sap.com says. To get around the problem, you have to use the Emergency user.
Create a new user named "superadmin" in your User store (with a passwd). Use this acct to login to the DTR and assign permission to the Admin user at the root.
Alternatively, you could edit the emergency user name to an existing user (say your user ID) and try logging in again to the DTR. Here is the info on how to edit the emergency user.
<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/a5/736b41419f031de10000000a155106/frameset.htm">Editing the Emergency user</a>
Thx
Bhaskar
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.