0 Replies Latest reply on Jul 9, 2017 4:33 PM by ChrisMoto

    "You do not have access to this dashboard" - After upgrading to 2017.1 (Update: Suspect session crossover)

    ChrisMoto Apprentice

      I recently upgraded our Xtraction server from 2016.3 to 2017.1

       

      Users across the board have been occasionally receiving the error: "You do not have access to this dashboard" when viewing, exporting and refreshing dashboards. Even dashboards that they have created themselves.

      I've also experienced this error myself when viewing, exporting and refreshing various dashboards (including ones I've created myself) and I'm an administrator.

       

      It doesn't appear to be isolated to any particular dashboards. It occurs on dashboards that were created both pre and post-update to 2017.1.

       

      This is an example of the error logs recorded just this morning from multiple users (including myself as the last two entries):

       

      2017-07-05 00:51:58,186 ERROR Xtraction.Service.SecurityService - Error

      Xtraction.Model.SecurityException: You do not have access to this dashboard

         at Xtraction.Service.SecurityService.CurrentUserHasAccessToDashboard(Dashboard dashboard)

      2017-07-05 00:51:58,201 ERROR Xtraction.Service.DashboardService - Error

      Xtraction.Model.SecurityException: You do not have access to this dashboard

         at Xtraction.Service.SecurityService.CurrentUserHasAccessToDashboard(Dashboard dashboard)

         at Xtraction.Service.DashboardService.LoadDashboard(Int32 dashboardId, Boolean deserialize)

      2017-07-05 00:56:32,386 ERROR Xtraction.Service.SecurityService - Error

      Xtraction.Model.SecurityException: You do not have access to this dashboard

         at Xtraction.Service.SecurityService.CurrentUserHasAccessToDashboard(Dashboard dashboard)

      2017-07-05 00:56:32,386 ERROR Xtraction.Service.DashboardService - Error

      Xtraction.Model.SecurityException: You do not have access to this dashboard

         at Xtraction.Service.SecurityService.CurrentUserHasAccessToDashboard(Dashboard dashboard)

         at Xtraction.Service.DashboardService.LoadDashboard(Int32 dashboardId, Boolean deserialize)

      2017-07-05 04:17:05,103 ERROR Xtraction.Service.SecurityService - Error

      Xtraction.Model.SecurityException: You do not have access to this dashboard

         at Xtraction.Service.SecurityService.CurrentUserHasAccessToDashboard(Dashboard dashboard)

      2017-07-05 04:17:05,118 ERROR Xtraction.Service.DashboardService - Error

      Xtraction.Model.SecurityException: You do not have access to this dashboard

         at Xtraction.Service.SecurityService.CurrentUserHasAccessToDashboard(Dashboard dashboard)

         at Xtraction.Service.DashboardService.LoadDashboard(Int32 dashboardId, Boolean deserialize)

      2017-07-05 09:49:44,379 ERROR Xtraction.Service.SecurityService - Error

      Xtraction.Model.SecurityException: You do not have access to this dashboard

         at Xtraction.Service.SecurityService.CurrentUserHasAccessToDashboard(Dashboard dashboard)

      2017-07-05 09:49:44,379 ERROR Xtraction.Service.ExportService - Error

      Xtraction.Model.SecurityException: You do not have access to this dashboard

         at Xtraction.Service.SecurityService.CurrentUserHasAccessToDashboard(Dashboard dashboard)

         at Xtraction.Service.ExportService.ExportDashboard(Dashboard dashboard, ComponentExportOptions options)

       

      Is this an issue that has been experienced by anyone else? Or is it a known issue at all at Xtraction?

       

       

      Edit: Think I have discovered the WHY, but not the HOW this is happening...

       

      I just created a new Scheduled Task, and upon saving the Created By user shows another user that is not me.

       

       

      The user "Michael" is currently logged into the server but he does not have access to create Scheduled Tasks (or even documents to schedule). I believe the server is somehow mixing up the sessions. So when people are attempting to open dashboards the server is mixing up their session and attempting to open it under someone elses session who might not have access to it.

       

      Or in this case, I just created a Scheduled Task under someone elses name who doesn't even have the rights to do this.

       

      I suspect this is now a security issue as almost anyone could be accessing data outside of their data policies from other people logged into the server and I'd have no idea. Hell, they may even be able to perform administrative actions if their account gets mixed up with one of the admins logged onto the server.

       

      I will raise a support ticket for this issue instead. May also have to lock out the server until it's rectified.