This page gives an overview of the Knowledge Management (KM) File System Repository configuration and details some common issues that can occur.
A File System Repository allows you to access content that is stored on an external file system, this content can then be edited in the portal through the KM User Interface (UI). Depending on the permissions you want to use there are two possible scenarios, if you just want to use the permissions that are defined in KM then you can use the ACL Security Manager, however if you want the permissions defined on the content in your windows system to also apply when the content is accessed from the KM UI then you must use the W2K Security Manager.
You just want to connect to a remote file system without using the W2K security manager. This is the easiest scenario to setup, the permissions will be controlled via ACLs which are set in KM. Here both the portal and remote file system are on windows.
- Create a network path under Global Services > Network Paths, you can use either the IP Address or the host name of the remote system in the Network Path parameter. For the user parameter you should use a user which has file system access rights on the remote file system, use the format <domain>\<user-id>
- Create a File System Repository Manager under Content Management > Repository Managers. Specify a Root directory and for security manager select 'AclSecurityManager'. For this scenario you don't need to use the W2K Security Manager and you don't need to specify a Windows Landscape System.
You should now be able to see the File System in KM but W2K ACLs are not replicated, permissions have to be set explicitely in KM. You should also see the repository showing green in the KM Component Monitor.
You also want to use the W2K permissions from your remote file system, this means that all content within the repository in KM will inherit their permissions from those set on windows.
You need to configure your J2EE servlet engine user, this is a very important step and is where most problems can occur. As documented in SAP note 615479 your J2EE user should be a global domain user that has 'Act as part of the Operating System' and 'Logon as a Service' authorisations.
The J2EE User also needs Full Control permissions on the remote File System content
Next you need to create a Windows System under Global Services > System Landscape Definitions > Systems > Windows System. Take note of the system ID used as you will need it later when creating your windows system in the portal system landscape.
You now need to modify the FS Repository Manager created in Scenario 1 above.
- Switch the Security Manager parameter to W2kSecurityManager
- Enter the Windows System you just created in the 'Windows Landscape Parameter'
- If you accidently entered the incorrect System ID then you could encounter the following types of errors when trying to access the resources:
The requested operation is forbidden for this resource. You do not have permissions required to access this resource.
The item you are attempting to access reqiuires permissions you do not have. Contact the item's owner or a system administrator to acquire the permissions in question.
Now you need to define a KM Windows System in the Portal System Landscape.
The 'System Alias' you define in your KM Windows System must be identical to the System ID which you already created in KM.
You should now have this system available for user mapping. If there are still "Access Denied" errors when trying to access the content then make sure that the portal user is mapped to an appropriate user on the file system who has access to the content.
You should now be able to see the remote permissions of the file system when you go to Details > Settings > Permissions of a resource, however they will not be editable as they are coming directly from the file system.
When testing if your W2K scenario is working you should not use a System Principal User. These users have special authorisations on all content that override the W2K permissions, so access to W2K content with these users does not prove that it is working correctly. System Principals are defined under Utilities > System principals and there is a default set of SAP delivered System Principals which are used as service users, these should not be changed. It is also worth noting that if you assign your user a System Principal Role, e.g. Content Admin, System Admin or Super Admin, then they are automatically treated as a System Principal user as well. For more information on this see again SAP note 615479 and also see the online help documentation for System Principals.
If you are indexing the content of your remote file system then you will also need to perform a User Mapping for the index_service user to a user that has at least read access to the content on the remote file system.
All above content is referenced from the online documentation Integrating Documents from a Windows System into KM
- Check the KM Component monitor to see if your Repository Manager has been correctly started. If 'Repository Managers' is showing a yellow icon then click on the link and navigate down to see if the relevant Repository is showing a yellow or red icon and if there is any error message given.
- Any exceptions should be logged in the default*.trc, it is usually best to check this after a restart of the J2EE as it will then show any errors for the relevant repository during the KM startup.
If necessary you can increase the trace levels for the following
locations as per SAP note 815891.
This is only if you are using the W2k security manager in your
repository configuration and the issue is concerning users being
unable to access content even though the repository may be green
in the component monitor
o Location: com.sapportals.wcm.service.fsmount
This could be increased if there are mount errors shown on the
repository in the component monitor.
"Startup Error: getting mapped math - Logon failure: unknown user name or bad password"
This usually occurs when the user/password account used to logon to the remote server becomes invalid.
Check that the user/password combination entered in Sys Admin > Sys Config > KM > CM > Global Services > Network Paths for the relevant network path used is valid. Make sure this user has read/write access to the remote file system, one possibility is to delete the existing network path and create a new one.
Startup Error: host is unknown in file path
'\\fileserver\TeamA\Common' - fileserver: fileserver Startup
The path defined in the Network Path is not valid.
Verify if the Network Path has a valid path to the remote fileserver and that it is accessible.
A user is able to see all folders and files on the remote file system even though they don't have access rights on the file system level(W2K security manager is used)
The user is defined as a 'System Principal
Any user who has the System Principal role assigned will always be able to view all content regardless of permissions so you cannot check if the W2K scenario is working with these users.
Go to Sys Admin > Sys Config > KM > CM > Utilities > System Principals and check if the user you are using has either a System Principal Role assigned or if the user itself is defined as a System Principal.
SAP Note 615479: W2k Security Manager - Additional Information
SAP Note 917600: W2kSecurity Manager on UNIX systems
SAP Note 969462: fsmount / W2kSecurityManager on Windows 64-bit
SAP Note 789284: useJcifs Default Flag in Windows environment
SAP Note 1534175: Repository Manager using W2KSecurity Manager cannot start
SAP Note 815891: KMC NW04 / NW7.0: Trace information