none
Insufficient Privilege on Custom User Picker RRS feed

  • Question

  • Hi,

    I created a custom user field called Requested By. The weird thing is that only the administrator is able to use this field. Anyone else using this field will be presented with an insufficient privilege error when trying to save the ticket. The user also has all rights in queue, group, task and view. Any ideas? Appreciate any help!

    Error message below

    Date: 12/15/2011 6:52:55 PM

    Application: System Center Service Manager Console

    Application Version: 7.0.6555.0

    Severity: Error

    Message: Failed to execute Submit operation. Fix the reported error before submitting again.

     

    Microsoft.EnterpriseManagement.Common.UnauthorizedAccessEnterpriseManagementException: The user BPG\aini does not have sufficient permission to perform the operation.

       at Microsoft.EnterpriseManagement.Common.Internal.ServiceProxy.HandleFault(String methodName, Message message)

       at Microsoft.EnterpriseManagement.Common.Internal.ConnectorFrameworkConfigurationServiceProxy.ProcessDiscoveryDataWithBinarySupport(Int32 operation, Guid discoverySourceId, IList`1 entityInstances, IList`1 relationshipInstances, IDictionary`2 streams, Boolean useOptimisticConcurrency)

       at Microsoft.EnterpriseManagement.ConnectorFramework.IncrementalDiscoveryData.CommitInternal(EnterpriseManagementGroup managementGroup, Guid discoverySourceId, Boolean useOptimisticConcurrency)

       at Microsoft.EnterpriseManagement.ConnectorFramework.IncrementalDiscoveryData.Commit(EnterpriseManagementGroup managementGroup, Guid discoverySourceId, Boolean useOptimisticConcurrency)

       at Microsoft.EnterpriseManagement.ConnectorFramework.IncrementalDiscoveryData.CommitForUserDiscoverySource(EnterpriseManagementGroup managementGroup, Boolean useOptimisticConcurrency)

       at Microsoft.EnterpriseManagement.ConnectorFramework.IncrementalDiscoveryData.Commit(EnterpriseManagementGroup managementGroup)

       at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.EnterpriseManagementObjectProjectionWriteAdapter.WriteSdkObject(EnterpriseManagementGroup managementGroup, IList`1 sdkObjects, IDictionary`2 parameters)

       at Microsoft.EnterpriseManagement.UI.SdkDataAccess.DataAdapters.SdkWriteAdapter`1.DoAction(DataQueryBase query, IList`1 dataSources, IDictionary`2 parameters, IList`1 inputs, String outputCollectionName)

       at Microsoft.EnterpriseManagement.UI.ViewFramework.SingleItemSupportAdapter.DoAction(DataQueryBase query, IList`1 dataSources, IDictionary`2 parameters, IList`1 inputs, String outputCollectionName)

       at Microsoft.EnterpriseManagement.UI.DataModel.QueryQueue.StartExecuteQuery(Object sender, ConsoleJobEventArgs e)

       at Microsoft.EnterpriseManagement.ServiceManager.UI.Console.ConsoleJobExceptionHandler.ExecuteJob(IComponent component, EventHandler`1 job, Object sender, ConsoleJobEventArgs args)

    • Edited by James Yeoh Thursday, December 15, 2011 10:53 AM
    Thursday, December 15, 2011 10:49 AM

Answers

  • You must use this update and set permissions for your relationship.

    "For example, you add the System.CallingUser relationship between the System.WorkItem.Incident and System.Domain.User endpoints. If you want the IncidentResolver profile to be able to enable the ability to update the relationship, you have to add the relationship to the Object__Set (update) right of the System.Domain.User endpoint. In this example, you do not have to add the relationship to the Object__Set (update) right of the System.WorkItem.Incident endpoint. The relationship does not have to be added because the following entry indicates that the System.WorkItem.Incident endpoint already has the Object__Set (update) rights for all properties and relationship endpoints:

    ProfileName Operation Type Property Relationship RelationshipEndPoint
    IncidentResolver Object__Set System.WorkItem.Incident NUL NULL N/A"

    http://www.scsmsolutions.com/ freemanru (at) gmail (dot) com
    Friday, December 16, 2011 1:53 PM
    Moderator

All replies

  • After messing around for quite awhile, I notice the only way is to add an advance operator role for the user, or else he won't be able to save the ticket if he changes the custom user picker field. But I still want to maintain all my views and tasks, so I ended up creating an advance operator role that have no rights whatsoever, and put the user in there, and it worked! Is this supposed to be the way? This is very weird.
    Thursday, December 15, 2011 11:12 AM
  • Hi,

    No, that doesn't sound right :S

    In order to save a relationship, you have to have edit permissions in both ends. So in this case, you would need the edit permissions on the WI and on the User object. You don't have any groups or queues in place that might restrict this?

    Regards
    //Anders


    Anders Asp | Lumagate | www.lumagate.com | Sweden | My blog: www.scsm.se
    Thursday, December 15, 2011 9:54 PM
    Moderator
  • Nope, as a matter of fact I always try not to touch queues or groups because I always end up with very weird situations. The moment I don't choose All for queues, the user ends up not being able to do many many things. One of the examples is if I do not give them All, they won't be able to see any of Provance's information. Sometimes it happens to other things, like not being able to view Incidents itself. It won't even work if I tick everything, it has to be selected as All, or else it won't work.

    Perhaps I can ask why is this happening? I'm curious because this doesn't seem to be a problem for anyone. I never use the built in roles as it will end up giving the person full rights, so every role is custom. Anything wrong with this?

    Friday, December 16, 2011 10:09 AM
  • You must use this update and set permissions for your relationship.

    "For example, you add the System.CallingUser relationship between the System.WorkItem.Incident and System.Domain.User endpoints. If you want the IncidentResolver profile to be able to enable the ability to update the relationship, you have to add the relationship to the Object__Set (update) right of the System.Domain.User endpoint. In this example, you do not have to add the relationship to the Object__Set (update) right of the System.WorkItem.Incident endpoint. The relationship does not have to be added because the following entry indicates that the System.WorkItem.Incident endpoint already has the Object__Set (update) rights for all properties and relationship endpoints:

    ProfileName Operation Type Property Relationship RelationshipEndPoint
    IncidentResolver Object__Set System.WorkItem.Incident NUL NULL N/A"

    http://www.scsmsolutions.com/ freemanru (at) gmail (dot) com
    Friday, December 16, 2011 1:53 PM
    Moderator
  • Thanks Anton, I wasn't aware of such a patch! 
    Friday, December 23, 2011 7:12 AM