(CSA) Support Tip: Problems with Group Ownership of subscriptions after upgrade to CSA 4.7
After upgrading CSA from version 4.5 to version 4.7, one can encounter an unwanted behavior: service's visibility to all members of group to which the subscription belongs to, is unavailable.
User can experience different behaviors, depending on the stage of configurations done:
- either he cannnot "see" group-owned subscriptions (not requested by himself, but to which is entitled to see normally)
- or he can see them, but when trying to access them, he can receive the following error on browser: "Subscription not found".
During the CSA 4.7 upgrade process, the user related data is transfered from CSA DB to IDM DB and some OWNER group information for group-owned subscriptions can be wrongly updated.
2 cases have been identified so far:
1. First, the OWNER_GROUP in CSA DB : CSA_SERVICE_SUBSCR is stored correctly for the Dates that have French characters (décembre, février, etc), but in the IdmDB ‘abstract_group‘ table, the name has replaced special characters (French accents) with ‘-’,
like for instance : ’f-vrier’ (fevrier= february).
Solution: update IDM DB's 'abstract_group' table to contain correct French characters, as in the CSA DB. This is due to mismatch in DB collations.
2.The other problem identified is that for some groups that were declared in CSA Access Control like: “Grp_clouduser_ABCD”, the older subscriptions have OWNER_GROUP values in CSA_SERVICE_SUBSCR like Full DN, exactly as declared in LDAP: “CN=Grp_clouduser_abcD,OU=abc,OU=org,DC=domM,DC=dom”.
The logic for updating the owner group field for subscription during upgrade was to extract the RDN (relative domain name) from the ownergroup field of the subscription i.e. “CN=Grp_clouduser_abcD,OU=abc".
This RDN is compared against the DISTINGUISHED_NAME field in the access control list. Since this comparison was a case sensitive comparison, an exact match was not found (due to uppercase letters in the Access control distinguished name).
Thus, the OWNER_GROUP information was not updated in CSADB: CSA_SERVICE_SUBSCR table . This is leading to permission denied behavior on the group-owned subscriptions.
Manually update in the DB the entries in CSADB: 'CSA_SERVICE_SUBSCR' table. In the example given :
UPDATE CSA_SERVICE_SUBSCR SET OWNER_GROUP='Grp_clouduser_ABCD' where OWNER_GROUP='CN=Grp_clouduser_abcD,OU=abc,OU=org,DC=domM,DC=dom';