How to solve “E_ACCESS_DENIED / Forbidden” Error When Adding Library Widget to IBM Connections Community (After changing connectionsAdmin user)

I’d like to share a very painful experience during one of my last customer visits where I had to switch from using a local fileregistry websphere administrator (wasadmin) to an LDAP based administrator. This had to be done in order to change the connectionsAdmin user and activate SPNEGO SSO in IBM Connections 5.0 CR2.

I followed all the regular and overly-complicated mixture of weird documentation in IBM’s knowledge center (someday someone at IBM’s board of directors will be held accountable for all this mess) mainly using this topic and its sub-topics.

At the end of all the configurations and settings, the library component of Connections (CCM) was not functioning so I started looking at the logs and digging and googling and blah blah blah, eventually I realized I’m facing another one of IBM famous bugs as per described in this excellent link. I’m not going to get into all the details (again, because of Julius Schwarzweller excellent blog post) but in essence this bug happens when  you migrate your environment from 4.5 to 5.0 and than change the filenetAdmin password and/or username. I followed all the steps described in Juilius’ blog to fix the error and indeed the problem has been solved! I could see libraries loading up in Communities and everything looked OK…

…Until I tried to add a new library widget to a community:

2015-10-25 20_53_49-2015-10-22 11_09_32-Overview - test2.jpg - Windows Photo Viewer

“403 forbidden”

Connections log was showing this error:

P8ErrorHandle E com.ibm.ecm.qkr.services.p8.P8ErrorHandler handleError 403 AccessDenied CQL5953: You do not have access to the requested object. Contact the owner of the object for assistance in changing your access rights.
 com.filenet.api.exception.EngineRuntimeException: FNRCE0001E: E_ACCESS_DENIED: The requester has insufficient access rights to perform the requested operation. failedBatchItem=0 errorStack={
 at com.filenet.engine.persist.IndependentPersister.checkObjectPropertyAccess(IndependentPersister.java:2502)
 at com.filenet.engine.persist.IndependentPersister.checkPropertyAccess(IndependentPersister.java:2311)
 at com.filenet.engine.persist.IndependentPersister.checkCreatePermissions(IndependentPersister.java:1984)
 at com.filenet.engine.persist.IndependentPersister.preCreate(IndependentPersister.java:1170)
 at com.filenet.engine.persist.IndependentPersister.preExecuteChange(IndependentPersister.java:607)
...
...

And also this:

EventPropagat E com.ibm.lconn.widgets.service.EventPropagater postRemoteEvent CLFWZ0004E: Event 'widget.added' sent to remote lifecycle handler at https://connections.XXXXX.co.il:9443/dm/atom/communities/feed returned bad response: 403 - Forbidden
AddWidgetActi E com.ibm.lconn.widgets.actions.AddWidgetAction execute CLFWZ0004E: Event 'widget.added' sent to remote lifecycle handler at https://connections.XXXXXX.co.il:9443/dm/atom/communities/feed returned bad response: 403 - Forbidden
 com.ibm.lconn.widgets.model.LifecycleStatusCodeException: CLFWZ0004E: Event 'widget.added' sent to remote lifecycle handler at https://connections.XXXXXX.co.il:9443/dm/atom/communities/feed returned bad response: 403 - Forbidden
 at com.ibm.lconn.widgets.service.EventPropagater.postRemoteEvent(EventPropagater.java:569)
 at com.ibm.lconn.widgets.service.EventPropagater.addWidget(EventPropagater.java:753)
 at com.ibm.lconn.widgets.service.WidgetInfoService.addWidgetPropagateInternal(WidgetInfoService.java:285)
 at com.ibm.lconn.widgets.service.WidgetInfoService.addWidget(WidgetInfoService.java:376)
 at com.ibm.lconn.widgets.actions.AddWidgetAction.execute(AddWidgetAction.java:70)
 at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:421)
...
...

I immediately turned to look at the FileNet engine log file (p8_error) which showed basically the same thing:

FNRCE0001E - ERROR method name: checkObjectPropertyAccess principal name: wpsadmin Global Transaction: true User Transaction: false Exception Info: The requester has insufficient access rights to perform the requested operation. Not granted required access on target object.
com.filenet.api.exception.EngineRuntimeException: FNRCE0001E: E_ACCESS_DENIED: The requester has insufficient access rights to perform the requested operation. Not granted required access on target object. failedBatchItem=0
 at com.filenet.engine.persist.IndependentPersister.checkObjectPropertyAccess(IndependentPersister.java:2502)
 at com.filenet.engine.persist.IndependentPersister.checkPropertyAccess(IndependentPersister.java:2311)
 at com.filenet.engine.persist.IndependentPersister.checkCreatePermissions(IndependentPersister.java:1984)
 at com.filenet.engine.persist.IndependentPersister.preCreate(IndependentPersister.java:1170)
 at com.filenet.engine.persist.IndependentPersister.preExecuteChange(IndependentPersister.java:607)
 at com.filenet.engine.persist.SubscribablePersister.preExecuteChange(SubscribablePersister.java:227)
 at com.filenet.engine.persist.ReplicablePersister.preExecuteChange(ReplicablePersister.java:125)
 at com.filenet.engine.persist.ContainablePersister.preExecuteChange(ContainablePersister.java:89)
 at com.filenet.engine.persist.FolderPersister.preExecuteChange(FolderPersister.java:207)
 at com.filenet.engine.persist.IndependentPersister.executeChangeWork(IndependentPersister.java:505)
 at com.filenet.engine.persist.IndependentPersister.executeChange(IndependentPersister.java:339)
 at com.filenet.engine.persist.SubscribablePersister.executeChange

Obviously I have a security issue at the FileNet level. “wpsadmin” is the login name of the new filenetAdmin (and connectionsAdmin) and for some reason it does not have the required permissions for the Connections object store. I verified that the account is listed in the FileNet object store (And domain) as an administrator with full permissions (including child object so that all objects will inherit the credentials):

2015-10-25 21_06_19-2015-10-22 11_13_12-Administration Console for Content Platform Engine 2015-10-25 21_05_10-2015-10-22 11_14_12-Administration Console for Content Platform Engine

In the above screenshots, you can clearly see that “wpsadmin” has full control on the domain level and also on the object store level with these permissions:

2015-10-22 11_13_40-Administration Console for Content Platform Engine

So you can understand why I was puzzled and quite frankly out of ideas. After fiddling around with the FileNet settings and inspecting permissions on different object types I’ve noticed that the permissions are not being passed in inheritance to child objects. I suspect that during my attempts to solve this problem, I’ve deleted and recreated the old + new admin user from the Connections profile database (using the API as described here and here). The solution was to run the “Security Script Wizard” in ACCE options of the object store as per described here and here. I selected the new FileNet admin user as an Object Store administrator and viola, problem solved!

Button line is, if you ever need to change the connectionsAdmin user, keep in mind that on some circumstances, the new account will not be granted proper permissions on the Connections Object Store. This is where the Security Script Wizard comes in very handy. According to the documentation, it does not modify existing permissions, only adding new users which  sounds safe to me.

If anyone can offer a better explanation to what happened or has a less invasive solution to this problem – please share your thoughts below.

Advertisements

Published by

Amir Barkal

"Music is the best" - FZ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s