sap-commerce-cloud
Hybris UAC: Employee with user access rights to create Employee cannot create an Employee
Hybris: 1905.9 (also tested with 1905.12)
I created a testEmployee Employee with a password of 1234 using the impex below. I configured the testEmployee to have user access rights to create Employees and Customers, as well as rights to see UserGroups.
Via Backoffice, this testEmployee can create a Customer, but causes an error when it tries to create an Employee.
What am I missing? Do I need to add UAC rights to other Types as well?
NOTES:
- A
testBackofficeAdminthat belongs tobackofficeadmingroupis not able to create an Employee or a Customer - OOTB
adminuser can create an Employee - An Employee that belongs to
admingroupcan create an Employee
Impex:
$password=1234
INSERT_UPDATE Employee;UID[unique=true];password[default=$password];description;name;groups(uid);loginDisabled;backofficeLoginDisabled
;testEmployee;;description;name;employeegroup;false;false
;testBackofficeAdmin;;description;name;backofficeadmingroup;false;false
$START_USERRIGHTS;;;;;;;;;
Type;UID;MemberOfGroups;Password;Target;read;change;create;remove;change_perm
Employee;testEmployee;employeegroup;$password;;;;;;
;;;;Employee;+;+;+;+;;
;;;;Customer;+;+;+;+;;
;;;;UserGroup;+;-;-;-;;
$END_USERRIGHTS;;;;;
Screenshot:
Stacktrace:
INFO [hybrisHTTP17] [fe80:0:0:0:0:0:0:1%1] [ConfigurableFlowController] Object sampleEmployee [sampleEmployee] could not be saved
com.hybris.cockpitng.dataaccess.facades.object.exceptions.ObjectSavePermissionException: Object sampleEmployee [sampleEmployee] could not be saved
at com.hybris.cockpitng.dataaccess.facades.object.impl.PermissionAwareObjectFacade.save(PermissionAwareObjectFacade.java:125) ~[cockpit-data-integration-19.05.12-RC5.jar:?]
at com.hybris.cockpitng.dataaccess.facades.object.impl.DefaultObjectFacade.save(DefaultObjectFacade.java:137) ~[cockpit-data-integration-19.05.12-RC5.jar:?]
at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.persistWidgetProperty(ConfigurableFlowController.java:1132) [backoffice-widgets-19.05.12-RC5.jar:?]
at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.persistProperties(ConfigurableFlowController.java:531) [backoffice-widgets-19.05.12-RC5.jar:?]
at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.doDone(ConfigurableFlowController.java:882) [backoffice-widgets-19.05.12-RC5.jar:?]
at com.hybris.cockpitng.widgets.configurableflow.ConfigurableFlowController.doDone(ConfigurableFlowController.java:869) [backoffice-widgets-19.05.12-RC5.jar:?]
at com.hybris.cockpitng.widgets.configurableflow.listener.TransitionListener.onEvent(TransitionListener.java:43) [backoffice-widgets-19.05.12-RC5.jar:?]
at com.hybris.cockpitng.widgets.configurableflow.renderer.ConfigurableFlowRenderer.lambda$createAndAppendButton$13(ConfigurableFlowRenderer.java:1145) [backoffice-widgets-19.05.12-RC5.jar:?]
at org.zkoss.zk.ui.AbstractComponent.onEvent(AbstractComponent.java:3177) [zk-8.6.0.1.jar:8.6.0.1]
at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3147) [zk-8.6.0.1.jar:8.6.0.1]
at org.zkoss.zk.ui.AbstractComponent.service(AbstractComponent.java:3089) [zk-8.6.0.1.jar:8.6.0.1]
at org.zkoss.zk.ui.impl.EventProcessor.process(EventProcessor.java:138) [zk-8.6.0.1.jar:8.6.0.1]
at org.zkoss.zk.ui.impl.UiEngineImpl.processEvent(UiEngineImpl.java:1846) [zk-8.6.0.1.jar:8.6.0.1]
at org.zkoss.zk.ui.impl.UiEngineImpl.process(UiEngineImpl.java:1618) [zk-8.6.0.1.jar:8.6.0.1]
at org.zkoss.zk.ui.impl.UiEngineImpl.execUpdate(UiEngineImpl.java:1321) [zk-8.6.0.1.jar:8.6.0.1]
at org.zkoss.zk.au.http.DHtmlUpdateServlet.process(DHtmlUpdateServlet.java:611) [zk-8.6.0.1.jar:8.6.0.1]
at org.zkoss.zk.au.http.DHtmlUpdateServlet.doGet(DHtmlUpdateServlet.java:487) [zk-8.6.0.1.jar:8.6.0.1]
at org.zkoss.zk.au.http.DHtmlUpdateServlet.doPost(DHtmlUpdateServlet.java:495) [zk-8.6.0.1.jar:8.6.0.1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) [servlet-api.jar:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) [servlet-api.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.50]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.50]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:209) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
at com.hybris.backoffice.mobile.filter.BackofficeMobileFilter.doFilter(BackofficeMobileFilter.java:56) [classes/:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
at de.hybris.platform.servicelayer.web.WebAppMediaFilter.doFilter(WebAppMediaFilter.java:129) [coreserver.jar:?]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:329) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$StatisticsGatewayFilter.doFilter(AbstractPlatformFilterChain.java:417) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at com.hybris.backoffice.security.BackofficeDynamicCatalogVersionActivationFilter.doFilter(BackofficeDynamicCatalogVersionActivationFilter.java:81) [classes/:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.DataSourceSwitchingFilter.doFilter(DataSourceSwitchingFilter.java:66) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.SessionFilter.doFilter(SessionFilter.java:96) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.session.HybrisSpringSessionFilter.doFilter(HybrisSpringSessionFilter.java:74) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at com.hybris.cockpitng.modules.spring.filter.ExternalModuleContextClassLoaderFilter.doFilter(ExternalModuleContextClassLoaderFilter.java:37) [cockpit-module-aggregator-19.05.12-RC5.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.RedirectWhenSystemIsNotInitializedFilter.doFilter(RedirectWhenSystemIsNotInitializedFilter.java:101) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.TenantActivationFilter.doFilter(TenantActivationFilter.java:83) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.Log4JFilter.doFilter(Log4JFilter.java:44) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at com.hybris.backoffice.filter.responseheaders.BackofficeResponseHeadersFilter.doFilter(BackofficeResponseHeadersFilter.java:31) [classes/:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain$InternalFilterChain.doFilter(AbstractPlatformFilterChain.java:299) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain.processStandardFilterChain(AbstractPlatformFilterChain.java:207) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.AbstractPlatformFilterChain.doFilterInternal(AbstractPlatformFilterChain.java:184) [coreserver.jar:?]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.1.13.RELEASE.jar:5.1.13.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
at de.hybris.platform.servicelayer.web.XSSFilter.processPatternsAndDoFilter(XSSFilter.java:358) [coreserver.jar:?]
at de.hybris.platform.servicelayer.web.XSSFilter.doFilter(XSSFilter.java:306) [coreserver.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.50]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.50]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.50]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.50]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543) [catalina.jar:8.5.50]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [catalina.jar:8.5.50]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.50]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.50]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) [catalina.jar:8.5.50]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.50]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609) [tomcat-coyote.jar:8.5.50]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:8.5.50]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810) [tomcat-coyote.jar:8.5.50]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623) [tomcat-coyote.jar:8.5.50]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.50]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.50]
at java.lang.Thread.run(Thread.java:834) [?:?]
Solution
On further investion, it seems that OOTB employeegroup has no access to create an Employee. Also, it explictly does not have any right to change the groups attribute.
If you create a usergroup that is a member of employeegroup, and explicitly define create access for Employee, it still won't be able to assign groups to an Employee.
I think this behavior is expected, and is probably the result of ECP-2722 Preventing employee to assign himself administrator permissions.
Workarounds can either be:
- Create Employee using via a user that belongs to admingroup
- Explictly define write access to
Employee.groups
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?