locked
"Unauthorized Access" Error for Incident Resolvers when Saving Custom Incident -> User Relationship RRS feed

  • Question

  • We have implemented a very basic customization for a client in which an additional User relationship has been added to the Incident class and form ("Call In User").  The extension, relationship, and form all work perfectly for Administrators and Advanced Operators (and custom user roles based off those roles), however, members of the Incident Resolvers user role (and custom roles based on that role) all receive "Unauthorized Access" errors.  As the client's desire is to use narrowly-scoped user roles based off the specific work item types, this poses a problem.

    The exact error Incident Resolvers receive is this:

    An exception was thrown while processing ProcessDiscoveryData for session ID uuid:fd95f3ee-c545-4338-8757-50369bef79e8;id=12.
     Exception message: The user DOMAIN\user does not have sufficient permission to perform the operation.
     Full Exception: Microsoft.EnterpriseManagement.Common.UnauthorizedAccessEnterpriseManagementException: The user DURANDAL\jrutherford does not have sufficient permission to perform the operation.
       at Microsoft.EnterpriseManagement.Mom.DiscoveryDatabaseAccess.ManagementStoreAuthorization.Authorize(DiscoveryDataInstance discoveryDataInstance, IAuthorizationService authService, Boolean useProcessContext, WindowsIdentity identity, DatabaseConnection databaseConnection)
       at Microsoft.EnterpriseManagement.ServiceDataLayer.DiscoveryDataManager.DiscoveryPackageIncrementalProcessingHandler.AuthorizeEntityObjects(DatabaseConnection databaseConnection, Guid discoverySourceId, IContext context, IList`1 packets)
       at Microsoft.EnterpriseManagement.ServiceDataLayer.DiscoveryDataManager.DiscoveryPackageIncrementalProcessingHandler.ProcessIncrementalDiscoveryData(DatabaseConnection databaseConnection)
       at Microsoft.EnterpriseManagement.ServiceDataLayer.DiscoveryDataManager.DiscoveryPackageIncrementalProcessingHandler.Process()
       at Microsoft.EnterpriseManagement.Mom.DiscoveryDatabaseAccess.DiscoveryPackageProcessor.ProcessWithRetry(HandleProcessing handleProcessing, RetryPolicy retryPolicy)
       at Microsoft.EnterpriseManagement.ServiceDataLayer.DiscoveryDataManager.ProcessDiscoveryDataWithRetry(DatabaseConnection dbconnection, Guid discoverySourceId, IList`1 sdkEntityInstances, IDictionary`2 streams, IContext context)
       at Microsoft.EnterpriseManagement.ServiceDataLayer.ConnectorFrameworkConfigurationService.ProcessDiscoveryData(Guid discoverySourceId, IList`1 entityInstances, IDictionary`2 streams, ObjectChangelist`1 extensions)

    As stated before, saving this relationship works perfectly for Advanced Operator-based roles and Administrators, while the core Incident Resolvers role, despite having access to all groups and queues, lacks permissions.

    I believe the root of the problem is that the Incident Resolver user role does not have permission to update CIs (as documented on the table here), though clear exceptions are the ability to save the relationship between Incidents and the default relationships (Affected User, Affected Configuration Items, etc.).

    Side note - a similar thread to mine here was opened in 2010 and was never solved, instead closed due to inactivity, and can be found here.

    Based off the solution to this thread, it would appear that the problem can be resolved by making changes in SQL, though the nature of what needs to be changed, where, and how, remains elusive, and I have no desire to make random changes in SQL until I see what works (or more likely, how soon until everything breaks).

    Can anyone provide any insight as to what needs to be changed and how in order to ensure the Incident Resolvers user role has the permission to save Incidents with this relationship?

    Thanks in advance!

    Tuesday, July 9, 2013 6:48 PM