Add permission exists but is denied by server

[Tri]

Client + Server: 2.06

User X wants to check in a file in $/Projec /Folder1/Folder2/Folder3
He has RC permission (by inheritance through a group) on Folder 1 and RCA on Folder2. Folder2 has several subfolders.

The check in is failed with the following error message:
"Item $/Projec /Folder1/Folder2/Folder3/Images/abc.gif caused the transaction to fail: You do not have the permission to perform the operation."

Can you please advise what was wrong? Thanks in advance.

[jclausius]

Can you give a complete listing of the rights assigned for the user in that repository. You can find this in the Admin Tool for the security properties of User X.

[Tri]

If you want to see if there are conflicts in permission definition, then here is the summary:

- RC permission on Folder1
- subdirs (Folder2 and below) all have RCA.

User X checked in a file in a subdir he has RCA permission.

Do you still want the project listing? Can I sent it to you by email?

[jclausius]

Yes, can you either give me a screen shot or if you like, I can provide you with a database query to gather the "textual" information.

When you get the info, you can contact me using the e-mail button at the bottom of my posting.

[jclausius]

Also, for the sake of completeness, can you also examine your server's log file - by default this is found in %windir%\temp\sgvault? I'd like to have a look in there to see if it contains "normal" activity.

If you like, you can email me that file as well.

[jclausius]

Just mulling this over a bit. If it is not too much to ask, it would be more complete if we retrieved the information from the database itself.

Do you feel comfortable with running some SQL queries, and sending me the results?

[Tri]

Please send me the SQL queries. I am SQL2K DBA.

[jclausius]

You will first need to identify the user / repository.

SELECT userid, login, name FROM sgvault.dbo.tblusers
SELECT repid, name FROM sgvault.dbo.tblrepositories

with userid / repid in hand, run the following query:

SELECT * FROM sgvault.dbo.ufngetusersecurityrights(@@repid, @@userid)

I'm interested in the results from this last query.

[jclausius]

Tri:

Thanks for sending the information. Your configuration follows:

$/projects/A = USER r,c
$/projects/A/subproj = GROUP_1 - r,c
$/projects/A/subproj/src/files = GROUP_1 - r,c,a
...

From the Admin Tool Help about group rights:

User access rights always take precedent over group access rights regardless of where in the tree the group rights are applied. For example, a user access right at root takes precedence over a group access right on the folder itself.

( Note, there is a typo in the first sentence - the word precedent should be precedence. )

Anyway, the user X cannot add because there is a USER assigned right of RC that overrides all other group rights set below. Removing the user right on $/projects/A should allow user X to add the files.

[GregM]

That seems rather counter-intuitive. Why is access exclusive instead of additive (i.e. a user has access if they are granted access explicitly or through a group they are in, as in most OS access control)?

[jclausius]

Instead of counter-intuitive, I would rather say security rights require a different way of thinking.

Allowing user assigned rights to trump any group rights allows a much finer control. This comes in handy when a group has been granted certain access to a part of the tree, and an admin still wants to deny a specific user access to that folder. In this case, assigning a "deny" right for a user denies the user that part of the tree.

[GregM]

I say counter-intuitive because group permissions and user permissions aren't applied in parallel like they are in all other security models that I've worked with, including the OS filesystem permissions.

[Tri]

Problem solved. Thank you for your help.