Purpose
This page enables BI System Administrators to diagnose missing rights that have caused an error. The errors, captured in log files, will show details about the right, the type of object, the user etc. This document explains how to decipher an error, captured in the log files, to the right within the BI Platform.
Overview
Log files generated by the BI Platform can show errors where a right is denied preventing a particular action.
The log files will refer to “objects” that are being checked, within the repository, identified by an ID. “Objects” can be: Users, Rights, Object, Owner of the Objects and the Type of Object.
As an example here is an example from a log file:
2014 08 20 14:25:29:648| Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=
This shows that the:
- Right number 90 (R=90) is denied (IsAllowed=false)
- for a User, with ID 4805061 (U=4805061)
- for the object, with ID 989734 (Ob=989734)
- of which the owner of the object has ID 447019 (Own=447019)
- and the type of object had ID 2 (T=2)
Which User? (U=???)
2014 08 20 14:25:29:648| Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=
Refer to the “Standard principals” table for any standard ID, otherwise use Query Builder with this SQL to determine more information about the User:
select * from CI_INFOOBJECTS,CI_APPOBJECTS,CI_SYSTEMOBJECTS where SI_ID=xxxxx
Replacing xxxxx with the ID. In our case: 4805061, for the User (U=4805061)
Standard principals
Description | ID seen in log files |
Everyone | 1 |
Administrators | 2 |
Objlimits | 3 |
Cluster Object | 4 |
System Account | 10 |
Newusersignup | 33 |
Guest | 11 Guest user ID |
Superuser | 12 Super user ID |
Which Object? (Ob=???)
2014 08 20 14:25:29:648| Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=
Refer to the “Standard folders” table for any standard ID, otherwise use Query Builder with this SQL to determine more information about the Object:
select * from CI_INFOOBJECTS,CI_APPOBJECTS,CI_SYSTEMOBJECTS where SI_ID=xxxxx
Replacing xxxxx with the ID. In our case: 989734, for the Object (Ob=989734)
Standard Folders
Description | ID seen in log files |
Server Folder | 16 |
Server Group Folder | 17 |
Favorite Folder | 18 |
User Folder | 19 |
User Group Folder | 20 |
Event Folder | 21 |
Calendar Folder | 22 |
Root Folder | 23 root of all the user-defined folders |
Licenses | 24 folder to contain all license key objects |
Plugins | 25 folder to contain all the plug-in objects |
Auth Plugins | 26 folder for authentication plugins |
Desktop Plugins | 27 folder for desktop plugins |
Admin Plugins | 28 folder for administration plugin objects |
Destination Plugins | 29 folder for destination plugin objects |
Meta Plugins | 30 folder for meta plugin |
Connection Folder | 41 folder for connection objects |
Tokens Folder | 42 |
Application Folder | 43 |
Corporate Category Folder | 45 folder for root corporate category objects |
Personal Category Folder | 47 folder for root personal category objects |
Inbox Folder | 48 folder for all Inboxes |
Temporary Storage Folder | 49 temporary storage folder |
Profile Folder | 50 profile folder |
Messages Folder | 51 messages folder |
Services Folder | 52 services folder |
Installs Folder | 53 install folder |
Service Containers Folder | 55 server containers folder |
Custom Dynamic Properties Folder | 56 folder to contain all dynamic property definitions |
Custom Roles Folder | 57 custom roles folder |
Security Tokens Folder | 58 various security tokens used by web services security |
Enterprise Nodes Folder | 59 installed instances folder |
Internal Storage Folder | 60 internal folder for storing temp docs e.g. ‘Deliver To Inbox; docs |
Service Categories Folder | 61 service categories folder |
Server Intelligence Folder | 62 server intelligence folder |
Server Intelligence Resources Folder | 63 server intelligence resources folder |
Alert Notifications Folder | 64 root folder for Alert Notifications |
Cryptographic Key Folder | 65 root folder for Cluster Keys |
Semantic Layer Folder | 95 root folder for plugin such as universe, WebI, and overload |
Application Config Folder | 99 root folder for plugin such as CMC and ePortfolio |
Which Owner? (Own=???)
2014 08 20 14:25:29:648| Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=
Refer to the “Standard principals” table for any standard ID, otherwise use Query Builder with this SQL to determine more information about the User:
select * from CI_INFOOBJECTS,CI_APPOBJECTS,CI_SYSTEMOBJECTS where SI_ID=xxxxx
Replacing xxxxx with the ID. In our case: 447019, for the Owner (Own=447019)
Standard principals
Description | ID seen in log files |
Everyone | 1 |
Administrators | 2 |
Objlimits | 3 |
Cluster Object | 4 |
System Account | 10 |
Newusersignup | 33 |
Guest | 11 Guest user ID |
Superuser | 12 Super user ID |
Which Type of Object? (T=???)
2014 08 20 14:25:29:648| Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=
The Type of Object can and will vary from one system to another, so there is no ‘standard’ type IDs across systems and this is why we are unable to list them here. Run this SQL, in Query Builder, on the same system the logs where generated from:
Select si_name, si_obtype from ci_systemobjects where si_obtype=xxxx and si_plugin_object=1
Replacing xxxx with the Object Type, 2 in our example. From Query Builder, and in our case, we can see that Object Type 2 (T=2) is referring to Crystal Reports:
Sometimes you may see the Type of Object ID is 0 (T=0), if this is the case, just ignore this and decipher the Object Type ID from the Right ID (R=???) instead. Please see the next section for details.
Which Right? (R=???)
2014 08 20 14:25:29:648| Security::IsAllowed( U=4805061,R=90,Ob=989734,Own=447019,T=2 ) : IsAllowed=false defined=
Use the BI Platform Support Tool to download the rights for your system.
- Launch the BI Platform Support Tool
- Select Tools, Export Right IDs:
- If not already logged-in, you will be promoted to login. Enter the credentials of an Administrator user.
- Wait for the Rights to be download and save the newly created .csv file.
- Open the csv file of rights, and filter the column 'Internal Rights' to the right ID you see in your log file referenced by R=
(if you are using Microsoft Excel - select "Data-Filter" to automatically apply a filter drop-down box to each column) - In the last column 'Description' will appear the right description that appears in the Central Management Console.
- In the second column 'Plugin Friendly Name' will appear the type of object referenced by the right id.
If you are unable to use this tool, for whatever reason, then there is still a method to determine the right, but the process is complex and is as follows:
(the remainder of this page is dedicated to only this task)
Rights less than 65,536?
If the Right number is less than 65,536 then refer directly to tables below. This right will be ‘generic’ and apply to all object types. The tables will show the same ‘generic’ rights repeated for every object type could have the ‘generic’ right.
In our case the right ID is 90 (R=90) and so from the tables we know the right being checked was “Download File Right”.
Rights more than 65,536?
If the Right ID is greater than 65,536 then the Right ID (that you see in the log) will be made up of the ‘Owner identifier’, ‘Object Type’, ‘Right ID’. The right will also be specific to that ‘plugin type’.
Here is an example log entry:
2014 08 28 17:17:06:214|Security::IsAllowed( U=12,R=16908368,Ob=559,Own=10,T=0 ) : IsAllowed=true (from normal right)‑
- The ‘Right ID’ is stored in the last 16 bits (bits 15 to 0)
- The ‘Object Type ID’ is stored in bits (28 to 16)
- And the ‘Owner identifier’ is stored in bit 29
Owner | Object Type ID (bits 28 to 16) | Right Id (last 16 bits, 15 to 0) | |||||||||||||||||||||||||||
29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 1 | 0 | 0 | 0 | 0 |
This is how you can determine the right it is checking:
- Convert the ‘Right ID’ to binary:
The Right ID ‘16908368’ (R=16908368) needs to be converted to a binary number.
The decimal number 16908368 in binary is 1000000100000000001010000
The last 16 bits represent the ‘Right ID’: 0000000001010000 (or in Decimal 80). - The bits 28 to 16 represents the ‘Object Type ID’: 100000010 (or in Decimal 258)
Note that we 'shift' the number to the right by 16 places before we convert to a decimal value. - Bit 29 represents if the right is an ‘owner right’. If it is 1, then the right is an ‘owner right’, rather than a normal right.
So, you should now have 3 pieces of information: The true ‘Right ID’, the ‘Object Type ID’ and if the right is an ‘owner right’ or a normal right.
The next steps involve identifying the right by ‘filtering’ the table based off the:
- ‘SI_NAME’ (from the ‘Object Type ID’, bits 28 to 16)
- Right description (from the Right ID, last 16 bits)
- If it’s a ‘owner right’ (Bit 29)
Step 1: SI_NAME
Determine the SI_NAME based off the ‘Object Type ID’. Use Query Builder with this SQL:
Select SI_NAME from ci_systemobjects where si_obtype=xxxx and si_plugin_object=1
Replacing xxxx with the Object Type, 258 in our example. For our test system, the SI_NAME is ‘CrystalEnterprise.CMC’.
Step 2: Right description
Look at only the rows in the ‘Right IDs’ table for the ‘SI_NAME’ you have just identified in Step 1. (Filtering the column A)
Then filter these rows further by the true Right ID (last 16 bits of the Right ID) (Filtering on the column D)
You will be left with a one or two rows, one ‘normal’ right and (possibly) another ‘that the user owns’ right. The description for rights (as shown in the Central Management Console) will be shown in column E of the table.
Step 3: Owner right?
If you identified the Right ID has containing an owner (Bit 29 is 1, not 0), then the right is the one ending ‘that the user owns’ otherwise it is the normal right.
So, for our example,
2014 08 28 17:17:06:214|Security::IsAllowed( U=12,R=16908368,Ob=559,Own=10,T=0 ) : IsAllowed=true (from normal right)‑
We know the:
- Right ID has a decimal value of 80. (last 16 bits)
- The ‘Object Type ID’ has a decimal value of 258, allowing us to determine (for our system) the SI_NAME is ‘CrystalEnterprise.CMC’
- The right was a normal right, not an owner right (bit 29 of ‘Right ID’)
And so the right seen in the Central Management Console that was being checked was “Allow access to Security Query”. We can see this from this row in the table below:
SI_NAME (obtain this from the ‘Right ID’ bits 28 to 16 and querying the CMS database) | Friendly Name for SI_NAME | Is Plugin Specific? | Right ID (Obtain this from the last 16 bits of ‘Right ID’ seen in the logs) | Description (As shown in the Central Management Console) |
CrystalEnterprise.CMC | CMC | Plugin Specific | 80 | Allow access to Security Query |
Right IDs table
The list of Right IDs can be downloaded here in Microsoft Excel format.
The table containing the list of rights:
- is very long, and so best to use the feature of Excel to 'filter'.
- is the list of rights that can be changed and set at the 'SDK' level. Only a subset of these rights are actually exposed in the product through the BILaunchPad and Central Management Console. Many of the rights are not used.
- is not necessarily complete for every system since the list of rights depends upon which 'plug-in's are installed. Example plug-ins are: 'Crystal Reports', 'Web Intelligence', 'Explorer'. The most common plug-ins types are listed.
Please note - the BI Support Tool will enable you to download a full and complete list of right IDs for your system. You are advised to use the BI support tool, over the Excel file mentioned here.