Automic Workload Automation

 View Only
Expand all | Collapse all

Deleting private dashboards

  • 1.  Deleting private dashboards

    Posted Nov 20, 2020 08:54 AM
    Edited by Michael A. Lowry Nov 20, 2020 09:21 AM
    I recently ran into "Access denied U00000009" errors when trying to delete some dashboards that users had created. I have full administrator access to the AE system, so I was surprised that there were user-created objects I could not delete.

    I opened a ticket with Broadcom and was essentially told that the AE is working as designed. Private dashboards are marked private using object-level authorizations. Users other than the creator will not be able to do anything with these objects, even if they have full access to all objects in the AE system.

    Broadcom recommended that I ask each user to change their dashboards to public so that I can delete them. I pointed out that some of the users do not exist anymore, and Broadcom replied that I should in that case re-create these users, log in as them, and then delete the dashboards. (This surely won't work either, because the new USR_OH_Idnr will not match the OACL_AuthIdnr of the existing entries.)

    You can list private dashboards and their owners using the following SQL query.

    select DASHOH.OH_Name,OACL_OH_Idnr,OACL_Lnr,OACL_AuthType,OACL_AuthIdnr,OACL_BitCode,
    OACL_Prohibition,USROH.OH_NAME, USR_FirstName || ' ' || USR_LastName as USR_Name, USR_EMail1
    from OH DASHOH
    left outer join OACL on DASHOH.OH_IDnr = OACL_OH_Idnr
    left outer join USR on OACL_AuthIdnr = USR_OH_Idnr
    left outer join OH USROH on USR_OH_Idnr = USROH.OH_Idnr
    where 1=1
    and DASHOH.OH_OType = 'DASH'
    and DASHOH.OH_DeleteFlag = 0

    Broadcom also mentioned an unsupported and 'not recommended' way: removing OACL entries directly from the DB.  An SQL DELETE statement can be used to delete the object-level permissions from an object. E.g.,
    delete from OACL where oacl_oh_idnr=...

    So far, Broadcom Support has been unwilling or unable to provide a supported way for an AE system administrator to remove private dashboards. The upshot of this that it is not possible for an administrator to remove private dashboards without running unsupported SQL DELETE statements. For each dashboard, the owner of the dashboard must still exist in the system, and this user must perform the deletion.


  • 2.  RE: Deleting private dashboards

    Posted Nov 21, 2020 08:59 AM
    Hi Michael,

    at the moment I don't think that there is another workaround other than manipulating the database via SQL. This might be an administrative issue in general for using the user privilege "Deal with authorizations at object level": during the administrative training I always explain the concept, how it works and recommend not to assign the privilege to any user. This helps to avoid admin headaches.

    OK - for a private dashboard it's not required to assign the privilege at all because the authorization will be assigned automatically by AE

    What are the alternatives?

    1) don't use dashboards at all (no access to the dashboard perspective, no access on object level)
    2) dashboards can only be created by a few selected users, others will have a "NOT WD on DASH"
    3) ?

    regards,
    Peter

    ------------------------------
    Capture Europe
    ------------------------------



  • 3.  RE: Deleting private dashboards

    Posted Nov 24, 2020 09:09 AM
    Edited by Michael A. Lowry Jul 20, 2023 08:44 AM

    @Peter Grundler wrote:

    What are the alternatives?

    1) don't use dashboards at all (no access to the dashboard perspective, no access on object level)
    2) dashboards can only be created by a few selected users, others will have a "NOT WD on DASH"
    3) ?

    3) The AE should not set object-level authorizations on any object if the user does not have the Deal with authorizations at object level privilege.



  • 4.  RE: Deleting private dashboards

    Posted Jul 20, 2023 08:58 AM

    Hi Michael,

    to me this is the worse option because usually I don't want any user to make use this privilege "by mistake". As you can image, this would cause much more work for the admin to set/delete it, right?

    best regards,

    Peter



    ------------------------------
    Automic Certified Professional/Expert & Broadcom Knight

    For AUTOMIC trainings please check https://www.qskills.de/qs/workshops/automic/
    ------------------------------



  • 5.  RE: Deleting private dashboards

    Posted Jul 20, 2023 10:31 AM
    Edited by Michael A. Lowry Jul 20, 2023 10:30 AM

    I just mean that the way it is currently implemented is wrongheaded:

    • Currently, the AE sets object-level authorizations on a dashboard if the user marks it private, even if the user does not have the Deal with authorizations at object level privilege.
    • Ideally, the AE should not set object-level authorizations on any object if the user does not have the Deal with authorizations at object level privilege.



  • 6.  RE: Deleting private dashboards

    Posted Nov 24, 2020 02:15 AM
    Danke für eure Erklärungen. Es waren alte Dashboards (5 Jahre). Habe es nun über die User bereingt.


  • 7.  RE: Deleting private dashboards

    Posted Dec 03, 2020 11:26 AM
    Edited by Michael A. Lowry Mar 04, 2021 07:39 AM
    The work-around of deleting OACL entries does not work. I even tried stopping and restarting the AE server, in case the WPs might be caching authorization data. I have a ticket open with Broadcom, so hopefully they'll provide a supported solution soon.

    Update: See the correction in the reply below.




  • 8.  RE: Deleting private dashboards
    Best Answer

    Posted Dec 10, 2020 03:58 AM
    Edited by Michael A. Lowry Jul 20, 2023 08:41 AM

    Correction: the work-around does work. The first time I tried it, I neglected to commit the deletion to the DB. Details follow.

    1. Display the OACL table row for the private dashboard. In this example, the dashboard is named UC0.MAL.PRIV.DASH.

    select oh_name,oh_client,oacl.*
    from oh,oacl
    where oh_idnr=oacl_oh_idnr
    and oh_name='UC0.MAL.PRIV.DASH'
    and oh_client=1
    and oh_deleteflag=0

    One row should be returned.

    OH_NAME OH_CLIENT OACL_OH_IDNR OACL_LNR OACL_AUTHTYPE OACL_AUTHIDNR OACL_BITCODE OACL_PROHIBITION
    UC0.MAL.PRIV.DASH 1 1931002 1   1587002 11 0


    2. Delete this row from the OACL table. In this example, the object ID number of the dashboard, and the ID uniquely identifying the row in the OACL table, is 1931002.

    delete from oacl
    where oacl_oh_idnr=1931002

    You should see a message indicating that the row was successfully deleted from the OACL table.

    1 row deleted.


    3. Commit the change to the DB.

    4. Restart the Automation Engine server.



  • 9.  RE: Deleting private dashboards

    Posted Dec 17, 2020 09:46 AM

    I suppose if you were leery of deletes you could add your own id to the acl through sql.



    ------------------------------
    Architect, Systems Administration
    Treehouse Foods
    ------------------------------



  • 10.  RE: Deleting private dashboards

    Posted Dec 18, 2020 08:29 AM
    Edited by Michael A. Lowry Mar 04, 2021 07:41 AM
    I received confirmation from Broadcom Support that the above method (deleting rows from OACL and then restarting the AE) is the officially supported way for an AE administrator to change a private dashboard to public.


  • 11.  RE: Deleting private dashboards

    Posted Mar 04, 2021 07:07 AM
    DANKE!!!

    ------------------------------
    IT-System Engineer / Automic Administration
    HanseMerkur
    ------------------------------



  • 12.  RE: Deleting private dashboards

    Posted Mar 05, 2021 02:31 AM
    Edited by Christoph Rekers Mar 05, 2021 02:36 AM
    Hi @Michael A. Lowry
    Why would you restart the AE? The former private Dash appears as a public Dash ​immediately after I use your delete statement.

    Thanks
    Christoph 


    ------------------------------
    ----------------------------------------------------------------
    Automic AE Consultant and Trainer since 2000
    ----------------------------------------------------------------
    ------------------------------



  • 13.  RE: Deleting private dashboards

    Posted Mar 05, 2021 02:46 AM
    Yes, works without restarting the AE in my opinion.

    ------------------------------
    IT-System Engineer / Automic Administration
    HanseMerkur
    ------------------------------



  • 14.  RE: Deleting private dashboards

    Posted Dec 16, 2020 06:12 AM

    I created a new idea for this problem. If you agree with the idea, please vote for it.
    Fix implementation of private dashboards feature, or remove this feature




  • 15.  RE: Deleting private dashboards

    Posted Apr 03, 2023 06:37 AM

    Broadcom deleted the idea.




  • 16.  RE: Deleting private dashboards

    Posted Jul 20, 2023 07:51 AM

    I had just checked to see if there were any updates on that idea, and saw it wasnt out there.

    IMO, having to make these changes via sql is poor practice.  Broadcom should provide another option




  • 17.  RE: Deleting private dashboards

    Posted Dec 18, 2020 09:59 AM

    I had a similar issue, a user was able to create a private dashboard named with a name that should not have been allowed by Automic, JOBS or JOBPLAN i think it was, that caused other issues, had to delete with SQL as the user was out of office.