Skip to end of metadata
Go to start of metadata

Purpose

This page enables BI System Administrators to diagnose missing rights that have caused an error. The errors, captured in log files, will show details about the right, the type of object, the user etc. This document explains how to decipher an error, captured in the log files, to the right within the BI Platform.

Overview

Log files generated by the BI Platform can show errors where a right is denied preventing a particular action.

The log files will refer to “objects” that are being checked, within the repository, identified by an ID. “Objects” can be: Users, Rights, Object, Owner of the Objects and the Type of Object.

As an example here is an example from a log file:

2014 08 20 14:25:29:648|  Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=

This shows that the:

  • Right number 90 (R=90) is denied (IsAllowed=false)
  • for a User, with ID 4805061 (U=4805061)
  • for the object, with ID 989734 (Ob=989734)
  • of which the owner of the object has ID 447019 (Own=447019)
  • and the type of object had ID 2 (T=2)

Which User? (U=???)

2014 08 20 14:25:29:648|  Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=

Refer to the “Standard principals” table for any standard ID, otherwise use Query Builder with this SQL to determine more information about the User:

select * from CI_INFOOBJECTS,CI_APPOBJECTS,CI_SYSTEMOBJECTS where SI_ID=xxxxx

Replacing xxxxx with the ID. In our case: 4805061, for the User (U=4805061)

 

Standard principals

Description

ID seen in log files

Everyone

 1

Administrators

 2

Objlimits

 3

Cluster Object

 4

System Account

 10

Newusersignup

 33

Guest

 11 Guest user ID

Superuser

 12 Super user ID

 

Which Object? (Ob=???)

2014 08 20 14:25:29:648|  Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=

Refer to the “Standard folders” table for any standard ID, otherwise use Query Builder with this SQL to determine more information about the Object:

select * from CI_INFOOBJECTS,CI_APPOBJECTS,CI_SYSTEMOBJECTS where SI_ID=xxxxx

Replacing xxxxx with the ID. In our case: 989734, for the Object (Ob=989734)

Standard Folders

Description

ID seen in log files

Server Folder

 16

Server Group Folder

 17

Favorite Folder

 18

User Folder

 19

User Group Folder

 20

Event Folder

 21

Calendar Folder

 22

Root Folder

 23 root of all the user-defined folders

Licenses

 24 folder to contain all license key objects

Plugins

 25 folder to contain all the plug-in objects

Auth Plugins

 26 folder for authentication plugins

Desktop Plugins

 27 folder for desktop plugins

Admin Plugins

 28 folder for administration plugin objects

Destination Plugins

 29 folder for destination plugin objects

Meta Plugins

 30 folder for meta plugin

Connection Folder

 41 folder for connection objects

Tokens Folder

 42

Application Folder

 43

Corporate Category Folder

 45 folder for root corporate category objects

Personal Category Folder

 47 folder for root personal category objects

Inbox Folder

 48 folder for all Inboxes

Temporary Storage Folder

 49 temporary storage folder

Profile Folder

 50 profile folder

Messages Folder

 51 messages folder

Services Folder

 52 services folder

Installs Folder

 53 install folder

Service Containers Folder

 55 server containers folder

Custom Dynamic Properties Folder

 56 folder to contain all dynamic property definitions

Custom Roles Folder

 57 custom roles folder

Security Tokens Folder

 58 various security tokens used by web services security

Enterprise Nodes Folder

 59 installed instances folder

Internal Storage Folder

 60 internal folder for storing temp docs e.g.  ‘Deliver To Inbox; docs

Service Categories Folder

 61 service categories folder

Server Intelligence Folder

 62 server intelligence folder

Server Intelligence Resources Folder

 63 server intelligence resources folder

Alert Notifications Folder

 64 root folder for Alert Notifications

Cryptographic Key Folder

 65 root folder for Cluster Keys

Semantic Layer Folder

 95 root folder for plugin such as universe, WebI, and overload

Application Config Folder

 99 root folder for plugin such as CMC and ePortfolio

 

Which Owner? (Own=???)

2014 08 20 14:25:29:648|  Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=

Refer to the “Standard principals” table for any standard ID, otherwise use Query Builder with this SQL to determine more information about the User:

select * from CI_INFOOBJECTS,CI_APPOBJECTS,CI_SYSTEMOBJECTS where SI_ID=xxxxx

Replacing xxxxx with the ID. In our case: 447019, for the Owner (Own=447019)

 

Standard principals

Description

ID seen in log files

Everyone

 1

Administrators

 2

Objlimits

 3

Cluster Object

 4

System Account

 10

Newusersignup

 33

Guest

 11 Guest user ID

Superuser

 12 Super user ID

Which Type of Object? (T=???)

2014 08 20 14:25:29:648|  Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=

The Type of Object can and will vary from one system to another, so there is no ‘standard’ type IDs across systems and this is why we are unable to list them here. Run this SQL, in Query Builder, on the same system the logs where generated from:

Select si_name, si_obtype from ci_systemobjects where si_obtype=xxxx and si_plugin_object=1

Replacing xxxx with the Object Type, 2 in our example. From Query Builder, and in our case, we can see that Object Type 2 (T=2) is referring to Crystal Reports:

Sometimes you may see the Type of Object ID is 0 (T=0), if this is the case, just ignore this and decipher the Object Type ID from the Right ID (R=???) instead. Please see the next section for details.

 

Which Right? (R=???)

2014 08 20 14:25:29:648|  Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=

Use the BI Platform Support Tool to download the rights for your system.

  1. Launch the BI Platform Support Tool
  2. Select Tools, Export Right IDs:
       

       
  3. If not already logged-in, you will be promoted to login. Enter the credentials of an Administrator user.
  4. Wait for the Rights to be download and save the newly created .csv file.
  5. Open the csv file of rights, and filter the column 'Internal Rights' to the right ID you see in your log file referenced by R=
    (if you are using Microsoft Excel - select "Data-Filter" to automatically apply a filter drop-down box to each column)
  6. In the last column 'Description' will appear the right description that appears in the Central Management Console.
  7. In the second column 'Plugin Friendly Name' will appear the type of object referenced by the right id.

 

If you are unable to use this tool, for whatever reason, then there is still a method to determine the right, but the process is complex and is as follows:

(the remainder of this page is dedicated to only this task)

 

Rights less than 65,536?

If the Right number is less than 65,536 then refer directly to tables below. This right will be ‘generic’ and apply to all object types. The tables will show the same ‘generic’ rights repeated for every object type could have the ‘generic’ right.

In our case the right ID is 90 (R=90) and so from the tables we know the right being checked was “Download File Right”.

 

Rights more than 65,536?

If the Right ID is greater than 65,536 then the Right ID (that you see in the log) will be made up of the ‘Owner identifier’, ‘Object Type’, ‘Right ID’. The right will also be specific to that ‘plugin type’.

Here is an example log entry:

2014 08 28 17:17:06:214|Security::IsAllowed( U=12,R=16908368,Ob=559,Own=10,T=0 ) : IsAllowed=true (from normal right)‑

  • The ‘Right ID’ is stored in the last 16 bits (bits 15 to 0)
  • The ‘Object Type ID’ is stored in bits (28 to 16)
  • And the ‘Owner identifier’ is stored in bit 29

Owner

Object Type ID (bits 28 to 16)

Right Id (last 16 bits, 15 to 0)

29

28

27

26

25

24

23

22

21

20

19

18

17

16

15

14

13

12

11

10

9

8

7

6

5

4

3

2

1

0

0

0

0

0

0

1

0

0

0

0

0

0

1

0

0

0

0

0

0

0

0

0

0

1

0

1

0

0

0

0

This is how you can determine the right it is checking:

  1. Convert the ‘Right ID’ to binary:
    The Right ID ‘16908368’ (R=16908368) needs to be converted to a binary number.
    The decimal number 16908368 in binary is 1000000100000000001010000
    The last 16 bits represent the ‘Right ID’: 0000000001010000 (or in Decimal 80).
  2. The bits 28 to 16 represents the ‘Object Type ID’: 100000010 (or in Decimal 258)
    Note that we 'shift' the number to the right by 16 places before we convert to a decimal value.
  3. Bit 29 represents if the right is an ‘owner right’. If it is 1, then the right is an ‘owner right’, rather than a normal right.

So, you should now have 3 pieces of information: The true Right ID’, the ‘Object Type ID’ and if the right is an ‘owner right’ or a normal right.

The next steps involve identifying the right by ‘filtering’ the table based off the:

  1. SI_NAME’ (from the ‘Object Type ID’, bits 28 to 16)
  2. Right description (from the Right ID, last 16 bits)
  3. If it’s a owner right’ (Bit 29)

Step 1: SI_NAME

Determine the SI_NAME based off the ‘Object Type ID’. Use Query Builder with this SQL:

Select SI_NAME from ci_systemobjects where si_obtype=xxxx and si_plugin_object=1

Replacing xxxx with the Object Type, 258 in our example. For our test system, the SI_NAME is ‘CrystalEnterprise.CMC’.

 

Step 2: Right description

Look at only the rows in the ‘Right IDs’ table for the ‘SI_NAME’ you have just identified in Step 1. (Filtering the column A)

Then filter these rows further by the true Right ID (last 16 bits of the Right ID) (Filtering on the column D)

You will be left with a one or two rows, one ‘normal’ right and (possibly) another ‘that the user owns’ right. The description for rights (as shown in the Central Management Console) will be shown in column E of the table.

 

Step 3: Owner right?

If you identified the Right ID has containing an owner (Bit 29 is 1, not 0), then the right is the one ending ‘that the user owns’ otherwise it is the normal right.

 

So, for our example,

2014 08 28 17:17:06:214|Security::IsAllowed( U=12,R=16908368,Ob=559,Own=10,T=0 ) : IsAllowed=true (from normal right)‑

We know the:

  • Right ID has a decimal value of 80. (last 16 bits)
  • The ‘Object Type ID’ has a decimal value of 258, allowing us to determine (for our system) the SI_NAME is ‘CrystalEnterprise.CMC’
  • The right was a normal right, not an owner right (bit 29 of ‘Right ID’)

And so the right seen in the Central Management Console that was being checked was “Allow access to Security Query”. We can see this from this row in the table below:

SI_NAME

(obtain this from the ‘Right ID’ bits 28 to 16 and querying the CMS database)

Friendly Name for SI_NAME

Is Plugin Specific?

Right ID

(Obtain this from the last 16 bits of ‘Right ID’ seen in the logs)

Description

(As shown in the Central Management Console)

CrystalEnterprise.CMC

CMC

Plugin Specific

80

Allow access to Security Query

 

Right IDs table

The list of Right IDs can be downloaded here in Microsoft Excel format.

The table containing the list of rights:

  • is very long, and so best to use the feature of Excel to 'filter'.
  • is the list of rights that can be changed and set at the 'SDK' level. Only a subset of these rights are actually exposed in the product through the BILaunchPad and Central Management Console. Many of the rights are not used.
  • is not necessarily complete for every system since the list of rights depends upon which 'plug-in's are installed. Example plug-ins are: 'Crystal Reports', 'Web Intelligence', 'Explorer'. The most common plug-ins types are listed.

Please note - the BI Support Tool will enable you to download a full and complete list of right IDs for your system. You are advised to use the BI support tool, over the Excel file mentioned here.

 

  • No labels