Saturday, 30 June 2012

IBM Connections - "Security role to user/group mapping" reset after installing/uninstalling maintenance updates

I saw this in my IBM Connections Fixes RSS feed a few days back: -

Problem

"Security role to user/group mapping" is reset after installing or uninstalling maintenance updates.

Cause

"Security role to user/group mapping" information is written in the each application's ear (ex. Blogs.ear).
When maintenance update is installed or uninstalled, the fix application process repackages the EAR, then calls to re-install the EAR. It forces the node synchronization which overwrites what's actually there in DM and Node config directory.

Environment

All Platforms

Resolving the problem

If you have customized security role mappings in the WebSphere Application Server Integrated Solutions Console for the IBM Connections applications, these customized security roles will be needed to be re-mapped.

10 comments:

Unknown said...

Klaus Bild shared an excellent script to automate the reconfiguration of the roll mappings.

http://kbild.ch/2012/04/add-admin-users-to-connections-security-roles-the-easy-way/

Dave Hay said...

@Unknown - thanks for this, please consider sharing your real name so that I can thank you properly :-)

Unknown said...

Does anyone know if this issue is related to only IBM Connections 3.x or does the problem also exist in Connections 4.x ?

Dave Hay said...

@Jeff - according to the Technote - http://www-01.ibm.com/support/docview.wss?uid=swg21598514 - this only relates to IBM Connections 3.0.1 and 3.0.1.1

Unknown said...

Thanks for that information. I see the article about python script to automate this, but I am still getting my feet wet with WAS and wsadmin. Thrown into the Connections fire so to speak ! ;-)

Unknown said...

Another question somewhat related to this. Is anyone else using Active Directory as their LDAP source for connections. If so, do you know if you can use either Resource Groups or Role Groups for the group mapping? Resource Groups contail Role Groups which contain users, some software will allow a Resource Group to be used and it will do the lookup for the Role Group and User). Thanks, Jeff

Dave Hay said...

@Jeff - yes, I've used Active Directory and Connections 3.0.1 together quite happily. We had eight AD domains federated in, with users accessing the site from around the globe. We also had desktop Single Sign-On going with Kerberos/SPNEGO ( I've blogged/presented about that stuff elsewhere).

As far as Resource/Role Groups, that isn't something that I've had experience of, but it *should* be achievable.

Dave

Dave Hay said...

@Jeff - one more thing, there is an ongoing Skype chat for Connections practitioners. It was originally set up by a UK Business Partner, Stuart McIntyre, from Collaboration Matters, and the audience includes customers, partners and IBMers.

Check this post for details -> http://portal2portal.blogspot.co.uk/2010/10/lotus-connections-and-lotus-quickr.html

Unknown said...

Thanks to all for their answers !
RE: AD Resource Groups, I entered one and it seems to be working, so it looks like Connections can work with either Role Groups or Resource Groups.
Also, thanks for the information on Skype Chat for Connections. I haven't ever participated in one of those. I will try and look at to see what that involves.

Dave Hay said...

@Jeff - no worries, good luck. So when are you going to start a blog ?

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...