Uploaded image for project: 'Share Application'
  1. Share Application
  2. SHA-1849

Authentication Subsystem defined admin users discrepancies: Share > Admin Tools > Model Manager tool fails to render.




      The designation of administrator is inconsistent if the user is assigned as administrator from any of the authentication subsystems compared to ootb 'admin' or alfrescoNTLM user manually added to 'ALFRECO_ADMINISTRATOR' group

      1. The default ootb 'admin' user on bootstrap is added to the groups:


      They have access to use all the tools/links:

      note: they only need to be in the "ALFRESCO_ADMINISTRATORS" group, to access all admin tools (repo or share)

      2. A user created via "Share UI >Admin tools > Users" by default is not assigned to any group.

      But if you add this user to 'just' "ALFRESCO_ADMINISTRATORS" group in "Share UI > Admin Tools > Groups" they have access to use all the:

      3. A user who is created with any of the Authentication Subsystems:

      • kerberos, passthru, ldap (AD), openLdap, external

      And defined as "defaultAdministratorUserName" in the subsystems properties (any of theses):

      • (external) external.authentication.defaultAdministratorUserNames=
      • (kerberos) kerberos.authentication.defaultAdministratorUserNames=
      • (passthru) passthru.authentication.defaultAdministratorUserNames=
      • (openLDAP/ldap AD) ldap.authentication.defaultAdministratorUserNames=

      They are not assigned to any "*_ADMINISTRATOR" groups, BUT this user has access to use all the:

      BUT they can not use the 'Model Manager' via the Share UI > Admin Tools > Model Manager link. It renders blank panel to right of tools list.

      Work around to fix that is to add the user to the 'ALFRESCO_MODEL_ADMINISTRATORS' group or ALFRESCO_ADMINISTRATORS group(redundant).

      This is very inconsistent and misleading.

      • All administrators should be automatically in ALFRESCO_ADMINISTRATORS group whether default, added manually or set as administrator via the synchronization/authentication subsystem designation
      • All administrators should by default have the same access.

      The authentication subsystem defined administrators are not showing in the ALFRESCO_ADMINISTRATORS group, have all the same permissions, except for Model Manager.

      Steps to Replicate

      • create a user via Share UI > Admin Tools > users
      • add the user to the Share UI > Admin > Groups > ALFRESCO_ADMINISTRATORS group
      • use any of the authentication subsystem and set a user in the comma delineated list property for that subsystems '*defaultAdministratorUserNames' property
      • synchronize in user
      • login Share UI with the each 'ootb admin','user created manually and added to alf admin group', 'user synchronized in designated administrator via auth subsystem'

      Note: the discrepancies in the group associations between the admin's not designated by the subsystem. Note that only those users not designated by the subsystem are able to use Model Manager with out explicitly setting them in either the 'ALFRESCO_ADMINISTRATORS' or 'ALFRESCO_MODEL_ADMINISTRATORS' group.

      Expected Behavior

      • all admin users regardless of how designated should be in the ALFRESCO_ADMINISTRATORS group and or have same permissions of all admins.

      Actual Behavior

      • admin users designated via the authentication subsystem as administrator are not in the ALFRESCO_ADMINISTRATORS group and have all permissions except for access to Model Manager in 'Share > AdminTools'

      Some Options: add them to the group or remove the link in the Share > Admin Tools view and update doc that the subsystem created admin's must be explicitly added to a group.

      Ref: http://docs.alfresco.com/5.1/concepts/admintools-cmm-intro.html


        1. adminSetOnAuthSubsystem.swf
          4.46 MB
        2. alfrescoNTLMAdminView.swf
          1.74 MB
        3. defaultAdminView.swf
          1.61 MB
        4. syncAdminView.swf
          2.51 MB

          Issue Links




                • Assignee:
                  jsoria Jennie Soria [X] (Inactive)
                • Votes:
                  0 Vote for this issue
                  5 Start watching this issue


                  • Created:

                    Structure Helper Panel