Highlighted
Absent Member.
Absent Member.
891 views

User not allowed to read 01000100010001001 (All Users)

Hi everyone.

I tried to see if this issue emerges here already but I doesn't seems that way.

I have my ESM logs reporting this error to my Level 1 analysts:

  • Access Denied: _USER_ACCOUNT_ is not allowed to read 01000100010001001 (All Users)

My analyst have permissions to read every objects as well as "read permissions".

I'm using ESM 6.5.1 but it probably also affect other versions,

If you have any quick idea what could cause this, please let me know.

Otherwise thank you for looking into it.

Cheers

Ludovico Lopes

Messages in /default/server.log

[0000-00-00 00:00:00,000][WARN ][default.com.arcsight.server.ASXmlRpcHandler] During access to com.arcsight.server.resource.GroupBrokerSkel.getResourcesByIDs from 10.xx.xx.xx (10.xx.xx.xx): com.arcsight.common.persist.AccessDeniedExceptionAccess Denied: _USER_ACCOUNT_ is not allowed to read 01000100010001001 (All Users)

[0000-00-00 00:00:00,000][ERROR][default.com.arcsight.server.Server$RpcErrorHandler]

com.arcsight.common.persist.AccessDeniedException: Access Denied: _USER_ACCOUNT_ is not allowed to read 01000100010001001 (All Users)

  at com.arcsight.common.persist.CachingResourceBrokerBase._getCachedResourcesByIDsImpl(CachingResourceBrokerBase.java:1498)

  at com.arcsight.common.persist.CachingResourceBrokerBase.getResourcesByIDs(CachingResourceBrokerBase.java:1400)

  at com.arcsight.server.resource.ResourceBrokerSkelBase._getSerializedResourcesByIDs(ResourceBrokerSkelBase.java:166)

  at com.arcsight.server.resource.ResourceBrokerSkelBase.getResourcesByIDs(ResourceBrokerSkelBase.java:151)

  at sun.reflect.GeneratedMethodAccessor374.invoke(Unknown Source)

  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

  at java.lang.reflect.Method.invoke(Method.java:597)

  at com.arcsight.server.ASXmlRpcHandler.execute(ASXmlRpcHandler.java:297)

  at helma.xmlrpc.StreamingXmlRpcServer$Worker.execute(Unknown Source)

  at helma.xmlrpc.StreamingXmlRpcServer.execute(Unknown Source)

  at helma.xmlrpc.StreamingXmlRpcServer.execute(Unknown Source)

  at com.arcsight.server.XmlRpcServlet.doPost2(XmlRpcServlet.java:477)

  at com.arcsight.server.XmlRpcServlet.doPost(XmlRpcServlet.java:363)

  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)

  at com.arcsight.server.w.service(w.java:66)

  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

  at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:488)

  at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:403)

  at org.mortbay.http.HandlerContext.handle(HandlerContext.java:1050)

  at org.mortbay.http.HandlerContext.handle(HandlerContext.java:1003)

  at org.mortbay.http.HttpServer.service(HttpServer.java:774)

  at org.mortbay.http.HttpConnection.service(HttpConnection.java:745)

  at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:918)

  at org.mortbay.http.HttpConnection.handle(HttpConnection.java:760)

  at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:165)

  at com.arcsight.server.SeededJsseListener.handleConnection(SeededJsseListener.java:280)

  at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:287)

  at org.mortbay.util.ThreadPool$JobRunner.run(ThreadPool.java:773)

  at java.lang.Thread.run(Thread.java:680)

Labels (1)
0 Likes
Reply
7 Replies
Highlighted
Absent Member.
Absent Member.

Hello Ludovico,

Did you solve this problem ?

I'm facing this issue in ESM 6.5cSP1 too.

Should I open a ticket with support ?

Best Regards,

Paulo Rosado

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Actually, not yet.

I was able to see that this issue was already in my previous ESM5. (now we are in ESM 6.5 SP1).

Our permissions configurations were set by hand and with a moderate detail. Even so none of my colleagues are facing real issues with it.

My proposals in the following:

1) Identify all accounts in which this occurs. (i think this is just occurring in some junior accounts, not all)

2) List all ArcSight events that were detected for them by the time of the alert. The idea is to see if there is any specific action that triggers this alert. For instance creating investigation channels.

3) if we detect the action, GREAT. Then we can replay the actions and see if our changes actually turned off this error. If not, at least we tried.

4) I will probably move my users to a different permission groups that would allow me to play with them without affecting all of the others.

5) for some time I will promote them to Level 2 and see if that fix the issue. If not, then it may be issues with the object “User” and not exactly a “permission issue”. If the issues are gone, them it may be permissions.
6) for some time I will revoke and grant permissions one at a time until I get the correct one.

Well, from there I will see what is going on.

Will this help you and there others interested?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Hi Everyone.

I have good news.

Although I haven't yet fix the issue, I manage to pinpoint good information to do it,

I just need to actually save some time to apply it.

Please see below some information regarding the default ESM content tree and ID.

From it I understood that my permissions issues may be related with Group with uri="/All Users/". (Alright, I can see that initial event said so but I was not reading like that.)


How do I know it?

I looked for a package I had with default ArcSight content and I spot it there.

FYI

            <ref type="Group" uri="/All Active Channels/" id="01000100010001033"/>

            <ref type="Group" uri="/All Active Lists/" id="01000100010001024"/>

            <ref type="Group" uri="/All Archived Reports/" id="01000100010001010"/>

            <ref type="Group" uri="/All Asset Categories/" id="01000100010001031"/>

            <ref type="Group" uri="/All Assets/" id="01000100010001004"/>

            <ref type="Group" uri="/All Cases/All Cases/" id="01000100017777777"/>

            <ref type="Group" uri="/All Agents/" id="01000100010001003"/>

            <ref type="Group" uri="/All Customers/" id="01000100010001035"/>

            <ref type="Group" uri="/All Dashboards/" id="01000100010001022"/>

            <ref type="Group" uri="/All Data Monitors/" id="01000100010001019"/>

            <ref type="Group" uri="/All Destinations/" id="01000100010001023"/>

            <ref type="Group" uri="/All Field Sets/" id="01000100010001037"/>

            <ref type="Group" uri="/All Fields/" id="01000100010001036"/>

            <ref type="Group" uri="/All Files/" id="01000100010001017"/>

            <ref type="Group" uri="/All Filters/" id="01000100010001002"/>

            <ref type="Group" uri="/All Integration Commands/" id="01000100010001054"/>

            <ref type="Group" uri="/All Integration Configurations/" id="01000100010001053"/>

            <ref type="Group" uri="/All Integration Targets/" id="01000100010001055"/>

            <ref type="Group" uri="/All Knowledge Base Articles/" id="01000100010001006"/>

            <ref type="Group" uri="/All Locations/" id="01000100010001039"/>

            <ref type="Group" uri="/All Networks/" id="01000100010001040"/>

            <ref type="Group" uri="/All Permissions/" id="01000100010001058"/>

            <ref type="Group" uri="/All Queries/" id="01000100010001043"/>

            <ref type="Group" uri="/All Query Viewers/" id="01000100010001051"/>

            <ref type="Group" uri="/All Report Templates/" id="01000100010001044"/>

            <ref type="Group" uri="/All Reports/" id="01000100010001009"/>

            <ref type="Group" uri="/All Rules/" id="01000100010001005"/>

            <ref type="Group" uri="/All Saved Searches/" id="01000100010001062"/>

            <ref type="Group" uri="/All Search Filters/" id="01000100010001063"/>

            <ref type="Group" uri="/All Session Lists/" id="01000100010001045"/>

            <ref type="Group" uri="/All Stages/" id="01000100010001034"/>

            <ref type="Group" uri="/All Trends/" id="01000100010001046"/>

            <ref type="Group" uri="/All Use Cases/" id="01000100010001052"/>

            <ref type="Group" uri="/All Users/" id="01000100010001001"/>

            <ref type="Group" uri="/All Vulnerabilities/" id="01000100010001026"/>

            <ref type="Group" uri="/All Zones/" id="01000100010001029"/>

Highlighted
Absent Member.
Absent Member.

Any luck with fixing the issue?  I'm experiencing the same error message.

Thanks,

- Brandon

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Not really.

No direct relation appeared between our configurations and this error, so I will actually drop it.

My Analysts and customers are able to work so i wont waste more time.

0 Likes
Reply
Highlighted
New Member.

Hi Ludovico,

Check ACLs for the user name you see in logs. Most likely she doesn't have write access to any of the /All Users/... groups and doesn't need to. If so make sure when you look at ACLs for the user (Right click on the group -> Edit Access Control -> Resources) there are no entries starting with "/All Users/".

I faced this problem before and it seems giving users read only access to anything inside /All Users/ causes those errors in logs.

Let me know how you go.

Cheers

0 Likes
Reply
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

I opened a support ticket about this without luck but after a bunch of testing I discovered a bug.  I've asked support to create a bug id for it and fix it in the next version as I was able to reproduce this on two vanilla systems.  The bug is that in the folder your users are in, you can not give them top level "Administrators" folder read (or write) permissions.  You can give permissions to read folders inside the Administrators folder, but not the Administrators folder itself.  You will notifce if you give the users access to folders inside the Adminsitrator folder that those folders do not appear as sub folders, they appear as root folders.  It appears "All Users" and "Adminstrators" are linked somehow which causes the error since the console wont allow you to edit the permissions on the "All Users" folder.

com.arcsight.common.persist.AccessDeniedException: Access Denied: username is not allowed to read 01000100010001001 (All Users)

[2015-08-14 16:19:02,399][WARN ][default.com.arcsight.server.ASXmlRpcHandler] During access to com.arcsight.server.resource.GroupBrokerSkel.getResourcesByIDs from machinename (1.2.3.4): com.arcsight.common.persist.AccessDeniedExceptionAccess Denied: username is not allowed to read 01000100010001001 (All Users)

[2015-08-14 16:19:02,399][ERROR][default.com.arcsight.server.Server$RpcErrorHandler]

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.