Hyland Connect

Upgrading from a previous Alfresco version introduces significant architectural changes, particularly affecting system-level operations such as LDAP synchronization. One of the key challenges reported by users is encountering the following error during the sync process:

org.alfresco.service.cmr.security.NoSuchPersonException: 02020039 User does not exist and could not be created: System

This error arises due to changes in how Alfresco handles runAsSystem, which impacts scripts, rules, and processes that previously relied on this functionality. Below, we outline the root cause of the issue and potential solutions.

Understanding the Issue

1. No "System" User Object in Alfresco

Alfresco does not maintain a persistent "System" user object, but it previously allowed operations to run under the runAsSystem context. With recent updates, some of these capabilities have been deprecated or altered, leading to failures when scripts or rules attempt to execute as "System."

2. Impact on Rules and LDAP Sync

• When users are created via LDAP sync, a rule might be triggered to create home folders.
• These rules may be running in a runAsSystem context, which no longer behaves as expected.
• The absence of a "System" user object results in failures during execution.
• Furthermore, searches for nodes created by runAsSystem are filtered out in the UI and possibly in the REST API.

Possible Solutions

1. Modify Rules to Run as an Admin User

Instead of relying on runAsSystem, you can configure your rules or scripts to run under an admin user context:

if (!fullyAuthenticatedUser || fullyAuthenticatedUser == 'System' ) {
    auth.runAsFullyAuthenticatedUser('admin');
}

Pros:

• Simple to implement in JavaScript-based rules.
• Avoids dependency on a non-existent "System" user.

Cons:

• The admin user can be deleted, making this solution potentially unreliable.
• Some filtering issues may still persist.

2. Implement a Custom Home Folder Provider

Instead of triggering a rule upon user creation, a custom home folder provider could be developed to ensure home folders are created outside of rule execution, avoiding the need for runAsSystem.

Pros:

• Provides a more robust and maintainable approach.
• Eliminates reliance on brittle scripting workarounds.

Cons:

• Requires custom development effort.

3. Patch Alfresco to Remove System-Based Query Filters

Some users choose to patch Alfresco to remove hardcoded filtering that excludes nodes created by runAsSystem. This can be done by modifying query filters related to cm:creator.

Pros:

• Restores expected functionality.
• Removes unnecessary constraints on searches and rules.

Cons:

• Requires Alfresco patching, which may be complex for Enterprise Edition customers.
• May introduce maintenance overhead for future upgrades.

Best Practices When Upgrading

1. Review Custom Rules and Scripts – Identify any rules that rely on runAsSystem and update them accordingly.
2. Test LDAP Sync in a Staging Environment – Ensure user synchronization works as expected before deploying to production.
3. Monitor Logs for System Context Errors – Look for NoSuchPersonException or related errors.
4. Consult Alfresco Documentation – Always review Alfresco’s official release notes for changes that impact authentication and permission handling.
5. Consider Consulting an Alfresco Expert – If your system relies heavily on legacy behaviors, an expert can help design a robust upgrade path.

Conclusion

Alfresco’s transition from 5.2 to 23.3.3 brings several architectural changes that affect system-level processes, particularly LDAP synchronization and home folder creation. Understanding and addressing runAsSystem limitations is key to a successful upgrade. Whether by modifying scripts, implementing a custom provider, or patching query filters, each solution has trade-offs that should be carefully considered.

For organizations planning an upgrade, a structured approach—testing, code review, and consulting best practices—will minimize disruptions and ensure a smooth transition.