K2 workspace authentication issues when using multiple security labels

  • 9 September 2016
  • 0 replies
  • 0 views

Badge +11


 

Symptoms

 


Assume that you configured alternative/additional security label in K2 in addition to default K2 label which normally targets your on-prem AD DS. It maybe AAD or SQLUM. In this case when your user names is exactly the same for on-prem AD DS user and AAD/SQLUM user K2 still going to threat these users as separate (which is expected behavior) but for K2 Workspace for example causes checking server rights against your alternative default label (even if you logged to K2 Workspace with K2 label user who has all the necessary rights).
 

 

Diagnoses

 


K2 has certain limitations with management of multiple identities (let's say AAD + AD) at the moment and this will be properly addressed only in long run when K2 identity architecture will be redesigned. At the moment we have something like this: If you build a workflow and forms for a SharePoint list in Office 365 and a form has a picker control which you then use to assign as a destination then, in this case, the destination is likely to be the user's AAD account as you are currently signed into SharePoint online and the picker is pulling those accounts back. If another application operates outside of SharePoint, for example, then it is possible that the destinations in the workflow would be based on the users AD credentials. The user therefore would need to check their K2 worklist while logged in as each of these users in order to manage their tasks (unless a custom worklist is created by client). 

 

I.e. different labels amounts to different identities for K2.

 

 

 

At the moment the only workarounds for this are these:

 

 

 

  1. To assign a task to both Security Labels. For example, if a task is to be assigned to DENALLIXmike, then assign it to both AAD:DENALLIXmike and K2:DENALLIXmike Then the task would be available in whatever context the user is interacting with a worklist control.
  2. To setup OOO on the users such that AD DenallixMike delegates to AAD mike@denallix.com and AAD mike@denallix.com delegates to AD DenallixMike. This way no matter how they open their worklist they will see the tasks.
     

     
 

Resolution

See details in Diagnosis section about K2 limitations related with management of multiple identities/labels.

 

 

 

Issue with K2 Workspace where it mistakingly checking rights against default label whereas logged in user in reality logged "from another label" is logged internally for further investigation at the moment (internal ID 687489), but if you read explanations above it is quite clear that workaround here would be to grant identical rights to both identities of the user (i.e. AAD/on-prem AD user should have the same rights granted in workspace to avoid this issue).

 

 



 

0 replies

Be the first to reply!

Reply