Have found an issue when using the Orchestrator Web Console where the permissions a user has are still active after they have been removed.
- Permissions are granted to an AD group to a runbook folder using the Designer console
- User is added to the AD group
- User can connect to Designer and also the Web Console to see and manage the runbooks in that folder
- Remove the user from the group
- In Designer, the user no longer has access and cannot see the folder or runbooks
- In the Web Console, the permissions are unchanged and the user can still view and manipulate the runbooks
Suggestions provided through a post to the technet forums suggested that the permissions are cached in the SQL database in the “Microsoft.SystemCenter.Orchestrator.Internal.AutorizationCache” table, however this table was already empty
Restarting the Servers, services, logging the user off and on etc made no difference. The permissions still persisted the following day.
Another user suggested this is a known bug and that they resolved it with a call to Microsoft. I can find no other mention/reference of this bug, so a call to Microsoft it is…
Microsoft have confirmed that there is a stored procedure in the SQL database that is an old one that should have been updated in SP1. Given this installation was a fresh install done using the SP1 media, it would appear the update procedure was not included in SP1 after all.
They have provided me with the updated stored procedure (Microsoft.SystemCenter.Orchestrator.GetSecurityToken) which seems to have fixed the problem. I’m just doing some more testing but it looks good.
- Microsoft have told me that this technet article is part of the same problem, so you should be able to requet the hotfix using that.
- If you are in a rush and trust me enough you can download it from here.
- The original/current stored procedure is here in case you forgot to make a backup first
To backup the current SP (stored procedure)
- Open SQL Management Studio
- Expand to Database | Programmability | Stored Procedures
- Right Click Microsoft.SystemCenter.Orchestrator.GetSecurityToken
- Select Script Stored Procedure as | EXECUTE TO | File
- Select the location and name for the file. It will be a .sql file that you can open in Notepad to view
To apply the new SP
- Right Click the Database
- Select New Query
- Paste the contents of the Hotfix SP file into the query window
- Click Execute
- Restart the Orchestrator Web Server