cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot create or delete activities for a project

Go to solution
Former Member

on ‎03-07-2006 1:34 AM

0 Kudos

I am attempting to set permissions for developers under different project workspace folders. I am the DTR administrator and have done all initial configurations at the root and system level as per the SAP help documentation after creating a "New DTR Client". I have a workspace folder /ws/XYZ. I gave user USER1 full privileges to /ws/XYZ so that he can do development on that specific project.

But USER1 is unable to create an activity during the process of a new DC creation. Here is the error I get

17:33:13.319 FAILED: Creating activity failed: act_w_JDITEST1_intel_JDI_TEST_dev_inactive_u_bvedamur_t_2006_03_07_01_33_13_GMT_97971c06-3fbb-47b4-b1b1-a693fcc0ceb9 - Forbidden [(pre||post)-condition failed: DAV:access-denied]

USER1 has "NWDI Developer" access and has been assigned all privileges under /ws/XYZ. What am I missing here.

Appreciate any help.

Thx

Bhaskar

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

sid-desh
Advisor
Advisor
‎03-07-2006 7:51 AM
0 Kudos

Hi Bhaskar,

Are you manually creating Workspace folders.

Regards

Sidharth

Show replies
Show replies
Former Member
‎03-07-2006 4:23 PM
0 Kudos

No, I am not manually creating workspace folders at this point though I intend to work on it in the future.

A couple of us with NWDI Admin and DTR Admin access and full access at the DTR root (Y_NWDI_ADMIN_DTR_G group had full access at the root level) had created a few DC projects (J2EE and webdynpro) few weeks back. I see the workspace folders created for these DC projects. Now I am trying to provide specific users developer access to these folders.

These users have NWDI Developers access and have all privileges at the workspace folder level. But when these users attempt to create a DC (and an activity during the process) they get the above mentioned error

Thx

Bhaskar

Message was edited by: Bhaskar Vedamurthy

sid-desh
Advisor
Advisor
‎03-07-2006 6:00 PM
0 Kudos

Hi Bhaskar,

I assume here that you have reset the ACL's for the root using the DTR Admin plugin. If this is not the case do let me know.

Just assigning the priviliges to the Workspace folders will not suffice.

YOu may have to give appropriate permissions to /ws/System folder also.

Try giving read write and checkin priviliges to this folder also.

Regards

Sidharth

Former Member
‎03-07-2006 7:01 PM
0 Kudos

Thanks for the quick response. Two questions

o What do you mean by ACL reset. And yes I am using the DTR plugin to assign permissions from NWDS

o Why do I have to give DEVELOPERS permission to the ws/system folder. Only the Administrators should have read,write,access to this folder, isnt it. Thats what this link says

<a href="http://help.sap.com/saphelp_erp2005/helpdata/en/08/83d93f130f9215e10000000a155106/frameset.htm">Granting Initial Privileges</a>

Rgds

Bhaskar

angel_dichev
Active Participant
‎03-07-2006 8:01 PM
0 Kudos

Hi Bhaskar,

I assume that this user doesn't have SAP_SLD_DEVELOPER rights, just check whether he is assigned to the SLD Developer assess group (Visual Administrator).

Also you can check whether he has access from the NWDS -> Windows -> Preferences -> JDI -> Developemnt Configuration Pool -> URL should point to the SLD server; http://<host>:<port>;

When you click on Ping server (and you are loged in to the DTR with the desired developer user) you should have message saying "Ping was successful, and you should see the SDL server URL, if you see message saing 403 Error than this developer ismissing from the SLD assess list. Common problem when the SLD is running on different box than the DTR.

Kind regards, Angel

sid-desh
Advisor
Advisor
‎03-07-2006 8:11 PM
0 Kudos

Hi Bhaskar,

ACL is set of priviliges that have been assigned for a particular resource to a principal. This principal may be a user or a role or a group in UME.

DTR does not carry out any authorization unless you set the ACL's for a particular resource for the first time. As you mentioned after creating the track you changed the ACL's (granted/denied priviliges) for a particular Workspace folder. However for a developer to carryout development some further settings are required.

Yes you are right only Administrator should have all rights to this resource /ws/System. Sorry made a mistake there.

You will have to give WRITE and CHECKIN to /act and WRITE to /wr /ws /vh. Please give this to all the developers that are doing the development.

Regards

Sidharth

p.s. I wrote what i knew but didnt ask whether you have changed the permissions using the permissions view of DTR perspective. This whole idea is valid only if you have done so. Thanks

Message was edited by: Sidharth Deshpande

Former Member
‎03-07-2006 8:52 PM
0 Kudos

Hi Sidharth,

I saw this section in the SAP help doc, but couldnt quite figure out where where these resources are (/vh, /wr, /act, /ws, /wsh). All I see is the root, system and project ws folders.

This possibly explains why I am unable to create an activity (no write or checkin permission to /act) and may fix it.

Thx

Bhaskar

Former Member
‎03-07-2006 9:02 PM
0 Kudos

Hi Angel,

I have contacted our admins to confirm that we have SAP_SLD_DEVELOPER access, but I am guessing I have it as I have been able to successfully import dev configurations.

Also, the SLD server PING works fine as well (seeing message "Ping was successful" and the URL). Anything else you can think of.

The permissions to /act, /ws resources that Sidharth suggested could be the reason, I havent tried that yet. dont know how

Thx

Bhaskar

sid-desh
Advisor
Advisor
‎03-07-2006 9:04 PM
0 Kudos

Hi Bhaskar,

What you need to do is open the permissions view by right clicking anywhere in the Repository explorer and selecting menu View Permissions.

Then on the title bar of the permissions view window you will see an arrow which when clicked has a menu item view URL.

In the URL give the path as http://server:port/dtr/act/ and click OK.

Now grant the check-in access to all the users. Similarly grant further permissions to /vh /vr etc.

Activate the permissions. You may use the URL http://<server>:<port>/dtr/sysconfig/support/AclRefresh

and choosing Refresh. This takes some time. Around 5 to 6 minutes. Then try again. It may also help if you can restart server again. Some problems are solved this way :-).

Regards

Sidharth

Former Member
‎03-07-2006 10:23 PM
0 Kudos

THANK YOU Sidharth. I gave the reqd permissions to ALL users on all these folders and it works now. Just 2 minor questions -

Is it a good idea to grant ALL users or should I do this only for the developer group (Y_NWDI_DEVELOPER_G).

Is it ok to give write access (to developers/ALL) at the /ws level as this would give every developer access to create any workspace folder manually if they wish.

Rgds

Bhaskar

angel_dichev
Active Participant
‎03-07-2006 10:39 PM
0 Kudos

Hi Bhaskar,

Follow these rules when assiigning the previliges:

Authorizations for the DTR Client

With these settings, you can use the client to display the content of a DTR.

/ - read

/vh - read

/ws - read

/wsh - read

In order to make changes (create files, check in activities, upload files, and so on), you need these extra permissions:

/act - read, write, checkin

/wr - read, write

/vh - write

/wr - read, write

In addition, every user needs the privileges read, write, and checkin for the resources to be changed, and the checkin privilege for the respective workspace.

BTW: It's not a good idea to give full rights to every developer, the access to the different tracks should be given by the power user/manager or NWDI administrator regarding the SC/Track lifecicle.

Also you need to follow the ACL rules:

Rule 1 – final Before All Children

Rule 2 – ignore inheritance

Rule 3 – Child Before Parent

Rule 4 – user before group

Rule 5 – deny before grant

And be careful with the deny rule as it's very powerful and overwrites all other rules.

No developer should have access to /ws/system

If you use "deny All users" to some resource, be sure that you give explicit access to Admin user to this resource as rule "user before group" is before "deny before grant".

(help.sap.com)

Regards, Angel

Message was edited by: Angel Dichev

sid-desh
Advisor
Advisor
‎03-07-2006 11:10 PM
0 Kudos

Hi Bhaskar,

Workspace folders should not be created by individual developers. Same with workspaces. Only project folders should be created by developers.

Rest all is explained by Angel Dichev

Regards

Sidharth

Former Member
‎03-07-2006 11:35 PM
0 Kudos

I started this whole exercise with the intention of restricting developer access in each of the project workspace folders.

The SAP help has a typo where it says /wr -read,write twice. I think one of them is supposed to be /ws. Now thats where I had concern. Yes I dont want developers to create ws folders, but that contradicts with the above instruction (/ws - read,write) provided in SAP help doc.

Thx

Bhaskar

angel_dichev
Active Participant
‎03-08-2006 12:02 AM
0 Kudos

Yes, you are correct about the typo - it's /ws

If you don't want to allow developers to create folders just restrict root folder / to access and read

Give write and check-in to the Track -> SC -> Dev -> Inactive only

all other folders: access and read

Angel

Message was edited by: Angel Dichev

Former Member
‎03-08-2006 12:42 AM
0 Kudos

Thanks. I have already assigned read,access at the / level. So it looks like I dont have to strictly follow that SAP instr (/ws - read,write). That was very helpful. I have awarded points to both you and Sidharth for helping me out.

-Bhaskar

former_member182161
Participant
‎03-27-2006 10:27 PM
0 Kudos

Hi,

I am getting same error with different description. "Internal Server Error"

<b>15:04:24.864 FAILED: Creating activity failed:

act_w_ESSTrack_sap_2e_com_SAP_ESS_dev_inactive_u_cmsadm_t_2006_03_27_20_04_24_GMT_4c70cf2f-7641-4838-96f7-8bf58a5b6450

- Internal Server Error</b>

Can anyone please tell me what the problem is. I was able to create activity till now. Suddenly it stopped wotking.

Thanks

Santhosh

Answers (1)

Answers (1)

Former Member
‎05-24-2006 8:23 PM
0 Kudos

This thread supplies some good clues to the issues we are having.

We tried to add permissions to /act. It is currently set with READ access to <all users>.

When we try edit this ACL to include other privleges, we get "Modification of inherited ACE not allowed". The Inherited From field is set to "/"

When we try to add a Principal we get "Getting Activity Failed".

When we go back to the permissions editor for "/" we see that there is only one principaly <all users> with read access only.

Herein lies the problem! It seems we need to (re)set the root back to include all permissions.

Does anyone know how (if) this can be done?

Cheers ... Bart

Show replies
Show replies
Former Member
‎05-24-2006 8:49 PM
0 Kudos

Bart,

Seems you locked the system by assigning "read" access to all at the root. Should have assigned an admin user at the root with full access as the "Granting Initial Privileges" under help.sap.com says. To get around the problem, you have to use the Emergency user.

Create a new user named "superadmin" in your User store (with a passwd). Use this acct to login to the DTR and assign permission to the Admin user at the root.

Alternatively, you could edit the emergency user name to an existing user (say your user ID) and try logging in again to the DTR. Here is the info on how to edit the emergency user.

<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/a5/736b41419f031de10000000a155106/frameset.htm">Editing the Emergency user</a>

Thx

Bhaskar

Former Member
‎05-25-2006 3:42 PM
0 Kudos

Bhaskar,

Bingo!

Thanks for taking the time to answer this one.

I think we learned a lot from this thread!

Cheers ... Bart

Ask a Question