Security issues

This section describes how to recover your environment if a default security role has been deleted.

When managing security roles, the administrator might delete a default security role. Below you can find information about troubleshooting your environment if one of the following situations occur:
FULL_CONTROL role has been deleted
If the administrator deletes a FULL_CONTROL role, he can recover the environment by restarting the IAA microservice. FULL_CONTROL role is automatically recreated during the startup.
Roles have been deleted from access control lists
The administrator might also delete roles from access control lists. The procedure described below explains how to recover the environment if one of the following situations occurs:
  • The administrator has removed own FULL_CONTROL reference from the access control list defined on the root (/) folder.
  • The administrator has removed both the API_KEY_ADMINISTRATOR administrative role, and the ACL permission defined on the resource FOLDER of the FULL_CONTROL role related to the access control list defined on the root (/) folder.
Procedure:
  1. Delete FULL_CONTROL role and the access control list defined on the root (/) folder.
    1. Access the database.
    2. From the IAA microservice database, select the iaa_role collection and delete the FULL_CONTROL document.
    3. Select the iaa_acl collection and delete the access control list defined on the root (/) folder.
  2. Restart the IAA microservice.
The access control list defined on the root (/) folder and roles are recreated during the startup.
You created an access control list for a user, but the user did not receive permissions as expected
If the user did not receive the expected permissions after the creation of the access control list, check the letter case that has been used for the names of the user and of the group. The letter case used in the authentication provider and the access control list must be the same.
The ocli model display command does not produce the expected outcome
If a user runs the ocli model display command, but the outcome is not as expected, verify that the DISPLAY permission is granted to that user for the specified item type.