5 Replies Latest reply on Jun 5, 2013 9:35 PM by SandeepReddy10

    Security Question

    JT01 Level 1

      Hello All,

       

      I am not sure if this is the correct place but it is where I decided to post!

       

      I have a simple workflow I am trying to use.  A user logs into workspace, opens a form, fills out the form and hits complete.  The form in workbench will lookup the users credentials, convert the xdp to pdf, reader extend the form and save to a file location.

       

      In Workbench my flow is 4 services, UserManagerLookupService(Find User) -> FormsService(renderPDFForm) -> ReaderExtensionsService(Apply Usage Rights) -> fileUtilsService(Write Document).

       

      My process works just fine as a Super Admin.  My question is this, what roles do I need to assign inside the AdminUI to get this to work for a Workspace user?  If I only assign the role of LiveCycle Workspace User the process errors at step 1(Find User).  If I add the role of Services User the process errors at step 2(renderPDFForm).  If I add the role of Process Administrator the process errors at step 3(Apply Usage Rights).  If I add the role of Trust Administrator the entire process works.

       

      Error on step 1 = ALC-DSC-128-000: com.adobe.idp.dsc.DSCAuthorizationException: User xxx does not have the Service Invoke Permission on Service UserManagerLookupService.

       

      Error on step 2 = com.adobe.livecycle.formsservice.exception.RenderFormException: Failed to load TemplateStream for FormQuery=/IT Project Summary/171031_2010.xdp from location URI =repository://.

       

      Error on step 3 = ALC-RES-001-002: No credential found with alias [xxx].

       

      I have no problem with granting LiveCycle Workspace User, my problem occurs when I have to add regular users to have administrator rights.  Is there some way around this while still running the process as the user that logs into workspace instead of specifying to run as System?

       

      If any more detail is required let me know.

       

      Thanks,

      ~Josh

        • 1. Re: Security Question
          Jasmin Charbonneau Level 4

          What about Run As Invoker?

           

          Jasmin

          • 2. Re: Security Question
            JT01 Level 1

            Makes no difference to run as Invoker.  I would also assume that if nothing is selected it would be automatically run as the invoker.

             

            What did make a difference is changing the type from short-lived to long-lived.  When the process is long-lived it works just fine with the user only having LiveCycle Workspace User permissions.

             

            Is there a way to run short-lived processes as the invoker with only LiveCycle Workspace User permissions or are all short-lived processes assumed to not require any services in workbench?

             

            Example -> displaying a form to be saved(manually) using workspace simply as a place house the form.

             

            Thanks,

            ~Josh

            • 3. Re: Security Question
              Jasmin Charbonneau Level 4

              Since all steps in your process are actually calls to individual service (File Utils (write to file), Forms (renderPDFForm), Reader Extension (Apply Usage Rights)), you could add security on them individually to allow the users that have access to invoke them (from adminui). You could also a group that contains all the users to make it more generic.

               

              Jasmin

              • 4. Re: Security Question
                JT01 Level 1

                I had already created a group to manage who could access the form, the domains I am working with have 5k+ and 200k+ users.  This particual form is only available to 30 of those users.

                 

                So short-lived processes will not work for individual users or small groups of users without adding additional security... I need to use long-lived for all processes that call any individual service.  I can handle that if that is the case I just needed to know that I have to use long-lived processes(unless they can be run by the system, ie I don't need to collect user specific information).  I wanted to use short-lived on basic workflows since ALC says short-lived processes execute more efficiently than long-lived processes.

                 

                Thanks,

                ~Josh

                • 5. Re: Security Question
                  SandeepReddy10

                  Jasmin, I did exactly same thing. I add security for individual service and gave invoke perm  to the group, Even after doing that I am getting the same error (ALC-DSC-128-000) when a user from the group is trying to access the service. Looks like adobe foundation componets can't be access. Thank you for helping me out.

                   

                   

                   

                  Error message

                   

                  ALC-DSC-128-000: com.adobe.idp.dsc.DSCAuthorizationException: User James Bond does not have the Service Invoke Permission on Service Script.

                            at com.adobe.idp.dsc.interceptor.impl.AuthorizationInterceptor.intercept(AuthorizationInterc eptor.java:194)

                            at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)

                            at com.adobe.idp.dsc.interceptor.impl.JMXInterceptor.intercept(JMXInterceptor.java:48)

                            at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)

                            at com.adobe.idp.dsc.engine.impl.ServiceEngineImpl.invoke(ServiceEngineImpl.java:121)

                            at com.adobe.idp.dsc.routing.Router.routeRequest(Router.java:131)

                            at com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.routeMessage(AbstractMessage Receiver.java:93)

                            at com.adobe.idp.dsc.provider.impl.vm.VMMessageDispatcher.doSend(VMMessageDispatcher.java:22 5)

                            at com.adobe.idp.dsc.provider.impl.base.AbstractMessageDispatcher.send(AbstractMessageDispat cher.java:66)

                            at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:167)

                            at com.adobe.workflow.engine.PEUtil.invokeAction(PEUtil.java:893)

                            at com.adobe.idp.workflow.dsc.invoker.WorkflowDSCInvoker.transientInvoke(WorkflowDSCInvoker. java:350)

                            at com.adobe.idp.workflow.dsc.invoker.WorkflowDSCInvoker.invoke(WorkflowDSCInvoker.java:158)

                            at com.adobe.idp.dsc.interceptor.impl.InvocationInterceptor.intercept(InvocationInterceptor. java:140)

                            at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)

                            at com.adobe.idp.dsc.interceptor.impl.DocumentPassivationInterceptor.intercept(DocumentPassi vationInterceptor.java:53)

                            at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)

                            at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor$1.doInTransaction(Transa ctionInterceptor.java:74)

                            at com.adobe.idp.dsc.transaction.impl.ejb.adapter.EjbTransactionCMTAdapterBean.execute(EjbTr ansactionCMTAdapterBean.java:357)

                            at com.adobe.idp.dsc.transaction.impl.ejb.adapter.EjbTransactionCMTAdapterBean.doRequiresNew (EjbTransactionCMTAdapterBean.java:299)

                            at com.adobe.idp.dsc.transaction.impl.ejb.adapter.EJSLocalStatelessEjbTransactionCMTAdapter_ caf58c4f.doRequiresNew(Unknown Source)

                            at com.adobe.idp.dsc.transaction.impl.ejb.EjbTransactionProvider.execute(EjbTransactionProvi der.java:143)

                            at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor.intercept(TransactionInt erceptor.java:72)

                            at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)

                            at com.adobe.idp.dsc.interceptor.impl.InvocationStrategyInterceptor.intercept(InvocationStra tegyInterceptor.java:55)

                            at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)

                            at com.adobe.idp.dsc.interceptor.impl.InvalidStateInterceptor.intercept(InvalidStateIntercep tor.java:37)

                            at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)

                            at com.adobe.idp.dsc.interceptor.impl.AuthorizationInterceptor.intercept(AuthorizationInterc eptor.java:188)

                            at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)

                            at com.adobe.idp.dsc.interceptor.impl.JMXInterceptor.intercept(JMXInterceptor.java:48)

                            at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)

                            at com.adobe.idp.dsc.engine.impl.ServiceEngineImpl.invoke(ServiceEngineImpl.java:121)

                            at com.adobe.idp.dsc.routing.Router.routeRequest(Router.java:131)

                            at com.adobe.idp.dsc.provider.impl.soap.axis.AdobeAxisServiceProvider.invokeMethod(AdobeAxis ServiceProvider.java:222)

                            at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186)

                            at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323)

                            at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)

                            at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)

                            at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)

                            at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:443)

                            at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)

                            at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)

                            at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)

                            at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)

                            at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)

                            at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1657)

                            at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1597)

                            at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:131)

                            at com.adobe.idp.dsc.provider.impl.soap.axis.InvocationFilter.doFilter(InvocationFilter.java :43)

                            at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 188)

                            at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)

                            at com.adobe.idp.um.auth.filter.CSRFFilter.doFilter(CSRFFilter.java:86)

                            at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 188)

                            at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)

                            at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:77)

                            at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:908)

                            at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:934)

                            at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:502)

                            at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java: 179)

                            at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.jav a:91)

                            at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:864)

                            at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1583)

                            at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:186)

                            at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink .java:452)

                            at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.jav a:511)

                            at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java: 305)

                            at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.jav a:78)

                            at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionLi stener.java:165)

                            at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)

                            at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)

                            at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)

                            at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)

                            at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)

                            at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)

                            at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1604)