Symptoms
We lost all tabs in K2 Workspace in our DEV/INT environment since this morning
Or yesterday as I first discover I problem on my account when I tried to use K2 package and deployment on INT server : ( Export right missing )
Went on workspace to check why I had no more this role and ... could not access the 'server right' list ( insufficient right error ) : was ok on DEV server part on the same workspace ( workspace web url is shared for DEV and INT )
and this morning , seems everyone lost access to alls TAB in this shared INT / DEV workspace
Diagnoses
Currently you have 2 domains linked to K2:
Domain1
Domain2 (Where are the K2 installation account)
In the table [Workspace].[ActionPermission] (corresponding to the button to display or not in the workspace: WorkSpace/Security/Workspace Permission/Management/Management Console), we found only users linked to the Domain1 except one user ""K2:Domain2K2InstallationAccount"
--More Analysis:
SELECT * FROM [Workspace].[ActionPermission]
--User names:
SELECT DISTINCT [ActionPermission].UserName ,
[Action].Description,
[SecurityCredentialCache].UserName AS "UserNameFromSecurityCredentialCache",
[SecurityCredentialCache].CreationDate,
[SecurityCredentialCache].LastAccessDateUtc,
[Identity].ExpireOn AS ExpireOn,
[Identity].MembersExpireOn AS MembersExpireOn,
[Identity].ContainersExpireOn AS ContainersExpireOn,
[Identity].Resolved AS Resolved,
[Identity].Enabled AS Enabled,
[Identity].ContainersResolved AS ContainersResolved
FROM [Workspace].[ActionPermission]
LEFT JOIN [Workspace].[Action] ON [Action].ID=[ActionPermission].ActionID
LEFT JOIN [HostServer].[SecurityCredentialCache] ON [SecurityCredentialCache].[CustomUserID]=[ActionPermission].UserID
LEFT JOIN [Identity].[Identity] ON [Identity].FQN=[ActionPermission].UserName
WHERE CollectiveName IS NULL
ORDER BY [SecurityCredentialCache].LastAccessDateUtc DESC
--All informations
SELECT [ActionPermission].*,
[Action].Description,
[SecurityCredentialCache].UserName AS "UserNameFromSecurityCredentialCache",
[SecurityCredentialCache].CreationDate,
[SecurityCredentialCache].LastAccessDateUtc
FROM [Workspace].[ActionPermission]
LEFT JOIN [Workspace].[Action] ON [Action].ID=[ActionPermission].ActionID
LEFT JOIN [HostServer].[SecurityCredentialCache] ON [SecurityCredentialCache].[CustomUserID]=[ActionPermission].UserID
ORDER BY [SecurityCredentialCache].LastAccessDateUtc DESC
--Groups:
SELECT DISTINCT [ActionPermission].CollectiveName ,
[Action].Description,
[Identity].ExpireOn AS ExpireOn,
[Identity].MembersExpireOn AS MembersExpireOn,
[Identity].ContainersExpireOn AS ContainersExpireOn,
[Identity].Resolved AS Resolved,
[Identity].Enabled AS Enabled,
[Identity].ContainersResolved AS ContainersResolved
FROM [Workspace].[ActionPermission]
LEFT JOIN [Workspace].[Action] ON [Action].ID=[ActionPermission].ActionID
LEFT JOIN [Identity].[Identity] ON [Identity].Name=[ActionPermission].CollectiveName
WHERE CollectiveName IS NOT NULL
ORDER BY CollectiveName DESC
Standard explanation:
How permissions works in workspace:
If permissions has not been set for anyone, everyone has access.
As soon as you assign permissions to a certain user, only that user will have access to that area.
From our findings, we believe that someone might have fiddled with the permissions and this lead to everyone having lose access to management console.
You can see who have currently the access to the workspace Management Console but executing the following query on the K2 database(See attached screen shot)
select * from [Workspace].[ActionPermission]
This query correspond to users impacted by "SecurityWorkspace Menu PermissionManagementManagement Console": Currently only these listed user have the possibility to access to the Management Console.
We advise you to connect to one of the user listed by this query and do the corresponding modification on this screen directly.
If you haven't the login of the listed users, or if you have others issues, this process can be reversed/we can get around it by truncating the "[K2].[Workspace].[ActionPermission]" table.
This will empty the table and then everyone should have access to everything again:
On the K2 database:
TRUNCATE TABLE [Workspace].[ActionPermission]
Resolution
In the table [Workspace].[ActionPermission] (corresponding to the button to display or not in the workspace: WorkSpace/Security/Workspace Permission/Management/Management Console), we found only users linked to the Domain1 except one user ""K2:Domain2K2InstallationAccount"
We removed this user from the table [Workspace].[ActionPermission] and all other users was then able to see expected buttons.
Note: After several week, we tried to re-add manually the "K2:Domain2K2InstallationAccount" on the table [Workspace].[ActionPermission] (not possible by the screens), but we don't reproduce the issue.
