itil_user group read only because of security role issue

frank121
Kilo Sage

‎04-02-2019 12:09 PM

Hi all, we just upgraded our DEV instance to Madrid and running into a little problem with some security incident roles...

It seems that for some reason our itil_user group is being locked down to read only format which is not allowing us to add users to the group. We get a "user is not authorized to perform this action" error. We can however bypass this by elevating our roles to sn_si.admin role. After doing some digging we have a 'sn_si.external' role that is apart of our 'itil' role and it seems that is causing the lockdown of the group because the itil role is attached to the group. I have removed the sn_si.external role from the itil role and that did the trick but in our Jakarta instance we have the sn_si.external role added to our itil role and we are able to edit our itil user group without elevation. Any ideas on why this might be occurring?

 

I tried disabling all sys_user group ACLs, i tried adding user_admin to the sn_si.admin role and nothing seems to work.

Labels:
0 Helpfuls
  • 2,519 Views
8 REPLIES 8

Yaraslau
Tera Guru

‎10-24-2019 12:05 AM

We have had the same issue. 

When the manager of the group tried to add a user to his group he got an error: "User is not authorized to perform this action"

 find_real_file.png

 

And we resolved it!

 

1. Check which roles contains the group.

2. Go to the table 'sys_user_role'

3. Find these roles and check the field 'Assignable by'(only in the list view)

4. The manager of the group must have the same role.

Preview file
34 KB
Preview file
4 KB

Akhila8
Mega Expert
In response to Yaraslau

‎12-18-2019 01:52 AM

Can you eloborate a little, I am also stuck with the same Issue in NewYork. HR_Admin is unable to add users into Groups even though he is the manager of the group.

 

It prompts with the same error message 

"User is not authorized to perform this action"

 

Your reply really helps!!

0 Helpfuls

Akhila8
Mega Expert
In response to Akhila8

‎12-18-2019 02:20 AM

I am checking for the HRSM-HR Admin group, it contains SN_HR_CORE.ADMIN. Checked "Assignable by" it also have the same role"sn_hr_core_admin".

 

User is manager of the group and he has itil role and sn_hr_core.admin role, Even then after NewYork, User is unable to add people to group, it gives edit option, select user and then save, but it doesn't actually save the user to the group.

 

find_real_file.png

Preview file
54 KB
0 Helpfuls

Yaraslau
Tera Guru
In response to Akhila8

‎12-18-2019 03:08 AM

If HRSM-HR Admin group contains other roles you must be sure that they ALL "Assignable By"  sn_hr_core_admin.

0 Helpfuls