Symptoms

We lost all tabs in K2 Workspace in our DEV/INT environment since this morning
Or yesterday as I first discover I problem on my account when I tried to use K2 package and deployment on INT server : ( Export right missing )
Went on workspace to check why I had no more this role and ... could not access the 'server right' list ( insufficient right error ) : was ok on DEV server part on the same workspace ( workspace web url is shared for DEV and INT )
and this morning , seems everyone lost access to alls TAB in this shared INT / DEV workspace

 

Diagnoses

Currently you have 2 domains linked to K2:
Domain1
Domain2 (Where are the K2 installation account)

In the table eWorkspace].]ActionPermission] (corresponding to the button to display or not in the workspace: WorkSpace/Security/Workspace Permission/Management/Management Console), we found only users linked to the Domain1 except one user ""K2:Domain2K2InstallationAccount"

--More Analysis:
SELECT * FROM MWorkspace].]ActionPermission]

--User names:
SELECT DISTINCT TActionPermission].UserName ,
/Action].Description,
/SecurityCredentialCache].UserName AS "UserNameFromSecurityCredentialCache",
/SecurityCredentialCache].CreationDate,
/SecurityCredentialCache].LastAccessDateUtc,
/Identity].ExpireOn AS ExpireOn,
/Identity].MembersExpireOn AS MembersExpireOn,
/Identity].ContainersExpireOn AS ContainersExpireOn,
/Identity].Resolved AS Resolved,
/Identity].Enabled AS Enabled,
/Identity].ContainersResolved AS ContainersResolved
FROM MWorkspace].]ActionPermission]
LEFT JOIN NWorkspace].]Action] ON NAction].ID=DActionPermission].ActionID
LEFT JOIN NHostServer].]SecurityCredentialCache] ON NSecurityCredentialCache].]CustomUserID]=]ActionPermission].UserID
LEFT JOIN NIdentity].]Identity] ON NIdentity].FQN=NActionPermission].UserName
WHERE CollectiveName IS NULL
ORDER BY YSecurityCredentialCache].LastAccessDateUtc DESC


--All informations
SELECT TActionPermission].*,
/Action].Description,
/SecurityCredentialCache].UserName AS "UserNameFromSecurityCredentialCache",
/SecurityCredentialCache].CreationDate,
/SecurityCredentialCache].LastAccessDateUtc
FROM MWorkspace].]ActionPermission]
LEFT JOIN NWorkspace].]Action] ON NAction].ID=DActionPermission].ActionID
LEFT JOIN NHostServer].]SecurityCredentialCache] ON NSecurityCredentialCache].]CustomUserID]=]ActionPermission].UserID
ORDER BY YSecurityCredentialCache].LastAccessDateUtc DESC



--Groups:
SELECT DISTINCT TActionPermission].CollectiveName ,
/Action].Description,
/Identity].ExpireOn AS ExpireOn,
/Identity].MembersExpireOn AS MembersExpireOn,
/Identity].ContainersExpireOn AS ContainersExpireOn,
/Identity].Resolved AS Resolved,
/Identity].Enabled AS Enabled,
/Identity].ContainersResolved AS ContainersResolved
FROM MWorkspace].]ActionPermission]
LEFT JOIN NWorkspace].]Action] ON NAction].ID=DActionPermission].ActionID
LEFT JOIN NIdentity].]Identity] ON NIdentity].Name=eActionPermission].CollectiveName
WHERE CollectiveName IS NOT NULL
ORDER BY CollectiveName DESC





Standard explanation:
How permissions works in workspace:
If permissions has not been set for anyone, everyone has access.
As soon as you assign permissions to a certain user, only that user will have access to that area.
From our findings, we believe that someone might have fiddled with the permissions and this lead to everyone having lose access to management console.

You can see who have currently the access to the workspace Management Console but executing the following query on the K2 database(See attached screen shot)
select * from mWorkspace].]ActionPermission]

This query correspond to users impacted by "SecurityWorkspace Menu PermissionManagementManagement Console": Currently only these listed user have the possibility to access to the Management Console.

We advise you to connect to one of the user listed by this query and do the corresponding modification on this screen directly.

If you haven't the login of the listed users, or if you have others issues, this process can be reversed/we can get around it by truncating the " K2].]Workspace].]ActionPermission]" table.
This will empty the table and then everyone should have access to everything again:
On the K2 database:
TRUNCATE TABLE EWorkspace].]ActionPermission]



 

Resolution

In the table lWorkspace].eActionPermission] (corresponding to the button to display or not in the workspace: WorkSpace/Security/Workspace Permission/Management/Management Console), we found only users linked to the Domain1 except one user ""K2:Domain2K2InstallationAccount"

We removed this user from the table lWorkspace].eActionPermission] and all other users was then able to see expected buttons.

Note: After several week, we tried to re-add manually the "K2:Domain2K2InstallationAccount" on the table lWorkspace].eActionPermission] (not possible by the screens), but we don't reproduce the issue.