none
SCSM 2016 - users "who have a user roles" can't open incident form after upgrade from 2012 R2

    Question

  • Hi Guys,

    when i assign an incident to a user, this user can see the incident but can't open it on the console when i try to open it, it shows the tasks on the right hand and on the left had it show the below error on white page.. note: authoring tools is installed.

    Microsoft.EnterpriseManagement.UI.WpfViews.InvalidConfigurationException: Failed to load form based on data in Presentation/Form section of FormView configuration: AssemblyName = Microsoft.EnterpriseManagement.ServiceManager.Incident.Forms, TypeName = Microsoft.EnterpriseManagement.ServiceManager.Incident.Forms.IncidentFormControl.
       at Microsoft.EnterpriseManagement.UI.FormsInfra.FormViewController.CreateFormFromConfiguration(XPathNavigator configNav)
       at Microsoft.EnterpriseManagement.UI.FormsInfra.FormViewController.ParseConfiguration()
       at Microsoft.EnterpriseManagement.UI.FormsInfra.FormViewController.EndInit()

    System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Creating an instance of the COM component with CLSID {7AB36653-1796-484B-BDFA-E74F1DB7C1DC} from the IClassFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
       at System.Windows.Documents.WinRTSpellerInterop..ctor()
       at System.Windows.Documents.SpellerInteropBase.CreateInstance()
       at System.Windows.Documents.Speller.EnsureInitialized()
       at System.Windows.Documents.Speller.SetCustomDictionaries(CustomDictionarySources dictionaryLocations, Boolean add)
       at System.Windows.Documents.TextEditor.SetCustomDictionaries(Boolean add)
       at System.Windows.Controls.SpellCheck.OnIsEnabledChanged(DependencyObject d, DependencyPropertyChangedEventArgs e)
       at System.Windows.DependencyObject.OnPropertyChanged(DependencyPropertyChangedEventArgs e)
       at System.Windows.FrameworkElement.OnPropertyChanged(DependencyPropertyChangedEventArgs e)
       at System.Windows.Controls.TextBox.OnPropertyChanged(DependencyPropertyChangedEventArgs e)
       at System.Windows.DependencyObject.NotifyPropertyChange(DependencyPropertyChangedEventArgs args)
       at System.Windows.DependencyObject.UpdateEffectiveValue(EntryIndex entryIndex, DependencyProperty dp, PropertyMetadata metadata, EffectiveValueEntry oldEntry, EffectiveValueEntry& newEntry, Boolean coerceWithDeferredReference, Boolean coerceWithCurrentValue, OperationType operationType)
       at System.Windows.DependencyObject.SetValueCommon(DependencyProperty dp, Object value, PropertyMetadata metadata, Boolean coerceWithDeferredReference, Boolean coerceWithCurrentValue, OperationType operationType, Boolean isInternal)
       at System.Windows.DependencyObject.SetValue(DependencyProperty dp, Object value)
       at Microsoft.EnterpriseManagement.ServiceManager.Incident.Forms.IncidentFormControl.InitSpellCheck()
       at Microsoft.EnterpriseManagement.ServiceManager.Incident.Forms.IncidentFormControl..ctor()
       --- End of inner exception stack trace ---
       at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
       at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark)
       at System.Activator.CreateInstance(Type type, Boolean nonPublic)
       at System.Activator.CreateInstance(Type type)
       at Microsoft.EnterpriseManagement.UI.FormsInfra.FormViewController.CreateForm(String assemblyName, String typeName)
       at Microsoft.EnterpriseManagement.UI.FormsInfra.FormViewController.CreateFormFromConfiguration(XPathNavigator configNav)

    System.UnauthorizedAccessException: Creating an instance of the COM component with CLSID {7AB36653-1796-484B-BDFA-E74F1DB7C1DC} from the IClassFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
       at System.Windows.Documents.WinRTSpellerInterop..ctor()
       at System.Windows.Documents.SpellerInteropBase.CreateInstance()
       at System.Windows.Documents.Speller.EnsureInitialized()
       at System.Windows.Documents.Speller.SetCustomDictionaries(CustomDictionarySources dictionaryLocations, Boolean add)
       at System.Windows.Documents.TextEditor.SetCustomDictionaries(Boolean add)
       at System.Windows.Controls.SpellCheck.OnIsEnabledChanged(DependencyObject d, DependencyPropertyChangedEventArgs e)
       at System.Windows.DependencyObject.OnPropertyChanged(DependencyPropertyChangedEventArgs e)
       at System.Windows.FrameworkElement.OnPropertyChanged(DependencyPropertyChangedEventArgs e)
       at System.Windows.Controls.TextBox.OnPropertyChanged(DependencyPropertyChangedEventArgs e)
       at System.Windows.DependencyObject.NotifyPropertyChange(DependencyPropertyChangedEventArgs args)
       at System.Windows.DependencyObject.UpdateEffectiveValue(EntryIndex entryIndex, DependencyProperty dp, PropertyMetadata metadata, EffectiveValueEntry oldEntry, EffectiveValueEntry& newEntry, Boolean coerceWithDeferredReference, Boolean coerceWithCurrentValue, OperationType operationType)
       at System.Windows.DependencyObject.SetValueCommon(DependencyProperty dp, Object value, PropertyMetadata metadata, Boolean coerceWithDeferredReference, Boolean coerceWithCurrentValue, OperationType operationType, Boolean isInternal)
       at System.Windows.DependencyObject.SetValue(DependencyProperty dp, Object value)
       at Microsoft.EnterpriseManagement.ServiceManager.Incident.Forms.IncidentFormControl.InitSpellCheck()
       at Microsoft.EnterpriseManagement.ServiceManager.Incident.Forms.IncidentFormControl..ctor()

    so please if you could help me it'd be great, thanks in advance for everyone.



    Wednesday, August 16, 2017 2:46 PM

Answers

  • I should also note that you could potentially try removing existing groups in a Security Role and re-adding them in again, in case the SID needs to be updated, though I doubt that's the issue.

    To me, it makes perfect sense that the original base roles were made explicit permissions which do not consider custom class properties/relationships and that is why any non-admin or non-AdvancedOperator are having issues.  There is still no out-of-box way to say I want this role to be able to access these classes/properties/relationships.

    I think deep down this was a half finished feature like many things in SCSM, and they wanted to make it better like they said they would for SCSM 2012 SP1 but afterwards the issue was reported not to have been fixed.  After that it appears there was never a real priority made to fix it.

    Systems work as designed, not as intended.  I might have a specific goal to achieve, and I might have a system, but the system doesn't necessarily achieve the specified goal.  This concept is too hard for most to understand, as they are ruled by convenience and the thinking never starts as their brains reflexively pattern match:

    1. you have goal
    2. you have system
    3. you have goal with system!

    This also leads into another tragic behaviour for the messenger of bad news:

    1. you report problem
    2. you haven't fixed problem
    3. you are the problem (Quit Complaining, you have a negative attitude, you get shot despite the motto "Don't shoot the messenger")
    Thursday, August 17, 2017 7:46 PM

All replies

  • So you are able to open it as an SCSM Admin just fine and the not-admin user cannot, correct?

    Can you confirm you still can on the same machine they are having issues on?

    If so, you probably need to make a Security User Role.... Have you made a extended Security Role for the users that will be opening the ticket in the SCSM Console?

    [SCSM Console > Administration > Security > User Roles ]

    1. Create Role from Existing BUILTIN Role >  Advanced Operator to create Advanced Operator End Users
    2. Determine if you have any queues that determine the tickets you want them to see.
    3. Add the group all those users would be in under Users section.
    4. Test with User again.

    SideNote:  I just love how there's a "CreateInstanceSlow" function, even they knew what to name it 😜

    Wednesday, August 16, 2017 7:25 PM
  • First of all thanks for response, i can open incidents using the admin, by the not-admin user i can view it on console but when i try to open it to show the action log or view incident fields, it gives me this error. i already made the security user role for sure, and that's what i'm talking about :)
    Wednesday, August 16, 2017 9:50 PM
  • I believe you are using a custom defined type projection which contain extended properties/relationships for your custom form, correct?

    At this point this is absolutely the program not seeing your end user as having permissions to access those custom properties/custom relationships on type projection the custom form is using.

    I personally used Advanced Operator End Users as it's the only group that grants access to read/write to classes which yours now references.  I believe you did not create a new End Users Role from Advanced Operators, am I correct?  I recommend trying that.

    Rob Ford mentions in the Thread "The End users cannot submit a Service Request after extending the class" that he doubts Microsoft will fix it and the SDK is your only other option.  Or potentially any 3rd party tools that link the security role with implicit access (meaning access to extended properties/relationships) to the class you are using.

    When ever you create a custom relationship, you must grant permissions to use it if the user role in question is not Advanced Operators or Administrators.

    In SCSM 2012, the SDK was updated to add this functionality, however, it did not work. I have been told this was fixed in SP1, but I have never tested it, as I use my own tool that performs the SQL that the SCSM 2010 fix used to run directly.

    However, if you want to try with the SDK, here is some example code that was originally supplied by Microsoft Support for this problem:

         Profile incidentResolverProfile = mg.Security.GetProfile(Profile.IncidentResolverProfileId);
                // Locate the operation in the profile that you want to enhance
                foreach (Operation operation in incidentResolverProfile.Operations)
                {
                    if (operation.Name == "Object__Add")
                    {
                        // Enhance the operation’s type restrictions.
                        OperationImplicitScope newOperationScopeType = new OperationImplicitScope(new Guid("D02DC3B6-D709-46F8-CB72-452FA5E082B8"), Guid.Empty, Guid.Empty, 2);
                        operation.ImplicitScopes.Add(newOperationScopeType);
                        incidentResolverProfile.Update();
                        break;
                    }
                }

    Change the profile to the end user profile and the Guid to the Guid for Service Request which is 04b69835-6343-4de2-4b19-6be08c612989.

    For Object__Set:

    Profile incidentResolverProfile = mg.Security.GetProfile(Profile.IncidentResolverProfileId);
    // Get the operation in the profile that you want to enhance
    Operation opObjectSet = incidentResolverProfile.Operations.Where(op => op.Name == "Object__Set").FirstOrDefault();
    if (opObjectSet != null)
    {
        OperationImplicitScope relationshipScope = new OperationImplicitScope(requestOfferingClass.Id, relationshipWItoRO.Id, RelationshipEndpoint.Unset);
        opObjectSet.ImplicitScopes.Add(relationshipScope);
        incidentResolverProfile.Update();
    }

    If this now works, you will see rows in the entries in the ProfileOperationImplicitScope table where the column IsCustomized=1.

    I provide this code for example only, you'll need to interpret it and adjust for your requirements.


    Rob Ford scsmnz.net
    Cireson www.cireson.com
    For a free SCSM 2012 Notify Analyst app click here 


    Thursday, August 17, 2017 6:26 PM
  • I should also note that you could potentially try removing existing groups in a Security Role and re-adding them in again, in case the SID needs to be updated, though I doubt that's the issue.

    To me, it makes perfect sense that the original base roles were made explicit permissions which do not consider custom class properties/relationships and that is why any non-admin or non-AdvancedOperator are having issues.  There is still no out-of-box way to say I want this role to be able to access these classes/properties/relationships.

    I think deep down this was a half finished feature like many things in SCSM, and they wanted to make it better like they said they would for SCSM 2012 SP1 but afterwards the issue was reported not to have been fixed.  After that it appears there was never a real priority made to fix it.

    Systems work as designed, not as intended.  I might have a specific goal to achieve, and I might have a system, but the system doesn't necessarily achieve the specified goal.  This concept is too hard for most to understand, as they are ruled by convenience and the thinking never starts as their brains reflexively pattern match:

    1. you have goal
    2. you have system
    3. you have goal with system!

    This also leads into another tragic behaviour for the messenger of bad news:

    1. you report problem
    2. you haven't fixed problem
    3. you are the problem (Quit Complaining, you have a negative attitude, you get shot despite the motto "Don't shoot the messenger")
    Thursday, August 17, 2017 7:46 PM