Add permission exists but is denied by server

This forum is now locked, since Gold Support is no longer offered.

Moderator: SourceGear

Locked
Tri
Posts: 288
Joined: Wed Dec 22, 2004 11:10 am

Add permission exists but is denied by server

Post by Tri » Tue Jan 04, 2005 4:31 pm

Client + Server: 2.06

User X wants to check in a file in $/Projec /Folder1/Folder2/Folder3
He has RC permission (by inheritance through a group) on Folder 1 and RCA on Folder2. Folder2 has several subfolders.

The check in is failed with the following error message:
"Item $/Projec /Folder1/Folder2/Folder3/Images/abc.gif caused the transaction to fail: You do not have the permission to perform the operation."

Can you please advise what was wrong? Thanks in advance.

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Tue Jan 04, 2005 4:47 pm

Can you give a complete listing of the rights assigned for the user in that repository. You can find this in the Admin Tool for the security properties of User X.
Jeff Clausius
SourceGear

Tri
Posts: 288
Joined: Wed Dec 22, 2004 11:10 am

Post by Tri » Tue Jan 04, 2005 5:11 pm

If you want to see if there are conflicts in permission definition, then here is the summary:

- RC permission on Folder1
- subdirs (Folder2 and below) all have RCA.

User X checked in a file in a subdir he has RCA permission.

Do you still want the project listing? Can I sent it to you by email?

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Tue Jan 04, 2005 5:21 pm

Yes, can you either give me a screen shot or if you like, I can provide you with a database query to gather the "textual" information.

When you get the info, you can contact me using the e-mail button at the bottom of my posting.
Jeff Clausius
SourceGear

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Tue Jan 04, 2005 5:32 pm

Also, for the sake of completeness, can you also examine your server's log file - by default this is found in %windir%\temp\sgvault? I'd like to have a look in there to see if it contains "normal" activity.

If you like, you can email me that file as well.
Jeff Clausius
SourceGear

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Tue Jan 04, 2005 5:42 pm

Just mulling this over a bit. If it is not too much to ask, it would be more complete if we retrieved the information from the database itself.

Do you feel comfortable with running some SQL queries, and sending me the results?
Jeff Clausius
SourceGear

Tri
Posts: 288
Joined: Wed Dec 22, 2004 11:10 am

Post by Tri » Wed Jan 05, 2005 7:17 am

Please send me the SQL queries. I am SQL2K DBA.

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Wed Jan 05, 2005 9:01 am

You will first need to identify the user / repository.

SELECT userid, login, name FROM sgvault.dbo.tblusers
SELECT repid, name FROM sgvault.dbo.tblrepositories

with userid / repid in hand, run the following query:

SELECT * FROM sgvault.dbo.ufngetusersecurityrights(@@repid, @@userid)

I'm interested in the results from this last query.
Jeff Clausius
SourceGear

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Wed Jan 05, 2005 3:32 pm

Tri:

Thanks for sending the information. Your configuration follows:

$/projects/A = USER r,c
$/projects/A/subproj = GROUP_1 - r,c
$/projects/A/subproj/src/files = GROUP_1 - r,c,a
...

From the Admin Tool Help about group rights:

User access rights always take precedent over group access rights regardless of where in the tree the group rights are applied. For example, a user access right at root takes precedence over a group access right on the folder itself.

( Note, there is a typo in the first sentence - the word precedent should be precedence. )

Anyway, the user X cannot add because there is a USER assigned right of RC that overrides all other group rights set below. Removing the user right on $/projects/A should allow user X to add the files.
Jeff Clausius
SourceGear

GregM
Posts: 485
Joined: Sat Mar 13, 2004 9:00 am

Post by GregM » Wed Jan 05, 2005 4:12 pm

That seems rather counter-intuitive. Why is access exclusive instead of additive (i.e. a user has access if they are granted access explicitly or through a group they are in, as in most OS access control)?

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Wed Jan 05, 2005 9:06 pm

Instead of counter-intuitive, I would rather say security rights require a different way of thinking.

Allowing user assigned rights to trump any group rights allows a much finer control. This comes in handy when a group has been granted certain access to a part of the tree, and an admin still wants to deny a specific user access to that folder. In this case, assigning a "deny" right for a user denies the user that part of the tree.
Jeff Clausius
SourceGear

GregM
Posts: 485
Joined: Sat Mar 13, 2004 9:00 am

Post by GregM » Wed Jan 05, 2005 10:48 pm

I say counter-intuitive because group permissions and user permissions aren't applied in parallel like they are in all other security models that I've worked with, including the OS filesystem permissions.

Tri
Posts: 288
Joined: Wed Dec 22, 2004 11:10 am

Post by Tri » Fri Jan 07, 2005 8:40 am

Problem solved. Thank you for your help.

Locked