none
Users getting access denied when trying to create a security group RRS feed

  • Question

  • Hello,

    I created an MPR for granting right through an approval workflow for joining security group, but getting the following error. Any thoughts what could be going wrong?

    Error processing your request: The operation was rejected because of access control policies.
    Reason: The operation failed as a result of insufficient access rights.
    Attributes: ExplicitMember
    Correlation Id: edc226e9-ecb9-42c2-ab20-4fa8b5643056
    Request Id:
    Details: No policy grants the Requestor permission to complete all changes.

    This is what I see in the even log:

    Requestor: urn:uuid:9373552a-c063-4fb9-abcd-3501d151a061

    Correlation Identifier: edc226e9-ecb9-42c2-ab20-4fa8b5643056

    Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.WebServices.Exceptions.PermissionDeniedException: ManagementPolicyRule ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 16, State 1, Procedure DoEvaluateRequestInner, Line 1319, Message: Permission denied: <ai><Name>ExplicitMember</Name></ai>

       at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)

       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)

       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

       at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()

       at System.Data.SqlClient.SqlDataReader.get_MetaData()

       at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)

       at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)

       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)

       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)

       at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)

       at System.Data.SqlClient.SqlCommand.ExecuteReader()

       at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)

       --- End of inner exception stack trace ---

       at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)

       at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)

    Thanks,
    John

    Tuesday, February 10, 2015 10:01 AM

Answers

  • Hi,

    You probably missing another MPR to give the right (checkbox "Grants permission") to Add and Remove value for attribute "Explicit member". Set an authorization workflow is not enough!

    Regards,


    Sylvain

    Tuesday, February 10, 2015 10:54 AM