• State Suggested Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 102 subscribers
  • Views 1193 views
  • Users 0 members are here
Options
Related

Allowing webservices to run XPP tools when using XPP special security groups

Hedley Phillips

Hi,

we've installed XPP 9.4 with webservices on Win 2016 Standard and are using the Special Windows Groups and XPP Permissions (xyadmin, xystyle, xyjstyle, xyperuse) to tighten security.

We are now finding that Webservices can't run the XPP tools within xz\bin and are receiving a "You cannot perform this activity" error.

Message: java.rmi.RemoteException: java.rmi.RemoteException: You cannot perform this activity
: command=D:\XPP\xz\bin\sdedit hj bills -ain hj_bills.xml -cd D:\XPP\std_jobz\alljobz/CLS_Templates/GRP_Jobs/JOB_GPO_CSR_Dev_Bill

The Apache docs say that the services are registered to run as the LocalSystem account which can't be Looked up or added to sec groups. They go on to suggest creating a separate account for running Apache, grant it the privileges of Log on as a service and Act as part of the operating system and then we can add this account to the xyadmin group.

Is this what you have done or are there other workarounds?

thanks.
Rate translation
×
Suggest better translation
×
Parents
  • 0

    Hi Hedley,

    Question: Did this all work (i.e. Web Services running XPP tools) before you implemented the special XPP "permission" groups?

    If so, then I think that there will be no other solution other than creating an account (with the appropriate Windows privileges) that can then be added to the "XPP" group (if you've implemented such a "general" group for access to XPP) as well as the special XPP "permission" groups.

    If you've actually implemented all the special "permission" groups (all four of them), then the account you create for Web Services might not need to be added to the 'xyadmin' group; it might be sufficient to add it to the 'xystyle' and 'xyjstyle' groups. It would depend on whether anything you're going to be doing via Web Services is an XPP-admin-only operation (unless you just want to use the 'xyadmin' group to grant "full" permissions with just "one step").
  • 0 in reply to Jonathan Dagresta

    Hi Jonathan,

    The groups were added as part of a Powershell silent installer of XPP & webservices so we don't have a "before" to test against. I have had the same error when running the sdedit tool on the command line which was resolved by adding that user to the xyadmin group so I'm assuming the new account to run Apache is the only way forward. We will talk to the client and see what tasks they need to perform via webservices and determine which is the most appropriate sec group to add them to.

    Thanks for your reply, just wanted to check I wasn't missing anything really obvious!

    regards,

    Hedley
Reply Children
No Data