https://connect.hyland.com/t5/alfresco-archive/why-do-you-need-to-be-assigned-as-an-administrator-to-customize/m-p/280933#M234063 <HTML><HEAD></HEAD><BODY><P><STRONG>Alfresco Community - 5.2.0 (r130508-b9)</STRONG></P><P><STRONG><SPAN class="value">Windows Server 2012 R2</SPAN></STRONG></P><P><STRONG>Using LDAP-AD</STRONG></P><BLOCKQUOTE><TABLE border="1"><TBODY><TR><TD><P>### AD Sync ###</P><P>authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad</P><P>ntlm.authentication.sso.enabled=false</P><P>ldap.authentication.allowGuestLogin=false</P><P>ldap.authentication.userNameFormat=%s@***</P><P>ldap.authentication.java.naming.provider.url=ldap://***:389</P><P>ldap.authentication.defaultAdministratorUserNames=Administrator, systems</P><P>ldap.synchronization.java.naming.security.principal=administrator@***</P><P>ldap.synchronization.java.naming.security.credentials=***</P><P>ldap.synchronization.groupSearchBase=ou=Groups,ou=Cornerstone Housing,dc=LCHSU,dc=local</P><P>ldap.synchronization.userSearchBase=ou=Users,ou=Cornerstone Housing,dc=LCHSU,dc=local</P></TD></TR></TBODY></TABLE></BLOCKQUOTE><P></P><P>User needs to be assigned to the '<SPAN class="field-label-right"></SPAN> <SPAN class="field-value">ALFRESCO_ADMINISTRATORS</SPAN>' group in order to change their individual dashboards - including hiding the 'Getting Started' panel from the dashboard or from the customisation page.</P><P></P><P>When they do try to make changes to their dashboard, alfresco.log spits out the following:</P><BLOCKQUOTE><TABLE border="1"><TBODY><TR><TD><P>2016-10-27 17:00:29,140 ERROR [org.springframework.extensions.webscripts.AbstractRuntime] [http-apr-9090-exec-10] Exception from executeScript: 09270502 Access Denied.&nbsp; You do not have the appropriate permissions to perform this operation.</P><P>org.alfresco.repo.security.permissions.AccessDeniedException: 09270502 Access Denied.&nbsp; You do not have the appropriate permissions to perform this operation.</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:57)</P><P>&nbsp;&nbsp;&nbsp; at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:166)</P><P>&nbsp;&nbsp;&nbsp; at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.transaction.RetryingTransactionInterceptor$1.execute(RetryingTransactionInterceptor.java:86)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.transaction.RetryingTransactionInterceptor.invoke(RetryingTransactionInterceptor.java:76)</P><P>&nbsp;&nbsp;&nbsp; at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)</P><P>&nbsp;&nbsp;&nbsp; at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)</P><P>&nbsp;&nbsp;&nbsp; at com.sun.proxy.$Proxy20.addAspect(Unknown Source)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.web.scripts.bean.ADMRemoteStore.deleteDocument(ADMRemoteStore.java:632)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.web.scripts.bean.BaseRemoteStore.execute(BaseRemoteStore.java:302)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:512)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:587)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:656)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:428)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:308)</P><P>&nbsp;&nbsp;&nbsp; at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:399)</P><P>&nbsp;&nbsp;&nbsp; at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210)</P><P>&nbsp;&nbsp;&nbsp; at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)</P><P>&nbsp;&nbsp;&nbsp; at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.module.aosmodule.service.ContextRootFilter.doFilter(ContextRootFilter.java:93)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)</P><P>&nbsp;&nbsp;&nbsp; at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)</P><P>&nbsp;&nbsp;&nbsp; at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)</P><P>&nbsp;&nbsp;&nbsp; at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)</P><P>&nbsp;&nbsp;&nbsp; at java.lang.Thread.run(Unknown Source)</P><P>Caused by: net.sf.acegisecurity.AccessDeniedException: Access is denied.</P><P>&nbsp;&nbsp;&nbsp; at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:86)</P><P>&nbsp;&nbsp;&nbsp; at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:398)</P><P>&nbsp;&nbsp;&nbsp; at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)</P><P>&nbsp;&nbsp;&nbsp; at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)</P><P>&nbsp;&nbsp;&nbsp; at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:53)</P><P>&nbsp;&nbsp;&nbsp; ... 48 more</P></TD></TR></TBODY></TABLE></BLOCKQUOTE><P></P><P>This seems odd as this should be a pretty rudimentary function that shouldn't require elevated privileges</P><P></P><P>Any ideas? Could there be a conflict with the AD?</P><P>I've trolled the forums but can't seem to find anything...surely this isn't unique?</P></BODY></HTML> Thu, 27 Oct 2016 06:36:22 GMT dummin 2016-10-27T06:36:22Z https://connect.hyland.com/t5/alfresco-archive/why-do-you-need-to-be-assigned-as-an-administrator-to-customize/m-p/280933#M234063 Alfresco Community - 5.2.0 (r130508-b9)Windows Server 2012 R2Using LDAP-AD### AD Sync ###authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-adntlm.authentication.sso.enabled=falseldap.authentication.allowGuestLogin=falseldap.authentication.userNameFormat=%s@***ldap.authentication.java.naming.provi Thu, 27 Oct 2016 06:36:22 GMT https://connect.hyland.com/t5/alfresco-archive/why-do-you-need-to-be-assigned-as-an-administrator-to-customize/m-p/280933#M234063 dummin 2016-10-27T06:36:22Z https://connect.hyland.com/t5/alfresco-archive/why-do-you-need-to-be-assigned-as-an-administrator-to-customize/m-p/280934#M234064 <HTML><HEAD></HEAD><BODY><P>No ,not need to be an administrator to customize personal dashboard.</P><P>is this all log information in alfresco.log? could you please attach alfresco.log file here?</P></BODY></HTML> Thu, 27 Oct 2016 08:44:58 GMT https://connect.hyland.com/t5/alfresco-archive/why-do-you-need-to-be-assigned-as-an-administrator-to-customize/m-p/280934#M234064 kaynezhang 2016-10-27T08:44:58Z https://connect.hyland.com/t5/alfresco-archive/why-do-you-need-to-be-assigned-as-an-administrator-to-customize/m-p/280935#M234065 <HTML><HEAD></HEAD><BODY><P>Hmm, I just reproduced this on 201609-EA running on Mac OS with Alfresco NTLM users.</P></BODY></HTML> Thu, 27 Oct 2016 14:57:36 GMT https://connect.hyland.com/t5/alfresco-archive/why-do-you-need-to-be-assigned-as-an-administrator-to-customize/m-p/280935#M234065 jpotts 2016-10-27T14:57:36Z https://connect.hyland.com/t5/alfresco-archive/why-do-you-need-to-be-assigned-as-an-administrator-to-customize/m-p/280936#M234066 <HTML><HEAD></HEAD><BODY><P><B>Craig Dummin</B>​ given that I was able to reproduce this on an out-of-the-box install of 201609-EA without using LDAP and with no other customizations installed, I'd say this is a bug. I did a quick search on Jira and saw nothing, but I didn't look too thoroughly.</P><P></P><P>Maybe you could also give <A href="http://issues.alfresco.com/" rel="nofollow noopener noreferrer">Jira</A> a scrub and then create a new issue if you cannot find one?</P><P></P><P>Also, if you were trying to use Alfresco Community Edition in production, you should be using 201605-GA, which is currently the latest stable release.</P></BODY></HTML> Thu, 27 Oct 2016 15:12:17 GMT https://connect.hyland.com/t5/alfresco-archive/why-do-you-need-to-be-assigned-as-an-administrator-to-customize/m-p/280936#M234066 jpotts 2016-10-27T15:12:17Z