Role Based access issue with specific users
permissions are not applying if an specific user grant access to the folder.
here is an example:
Group/Folder "Support" has view and add permission for helpdesk role. users with helpdesk role can view and add session to this folder. John is the manager of the helpdesk. he wants to able to edit and delete entries from this folder.
I added only John's account to do edit and delete. however, John can not edit or delete entries. he can see and add because he has helpdesk role.
I am using ad authentication and AD group mapping for roles.
All Comments (14)
Hello,
What version of RDM are you using?
What version of Devolutions Server are you using?
Best regards,
Mark Beausejour
RDM 12.6.8.0
Devolution 4.6.1.0
Hello,
Even if the user has the Edit and Delete rights, this doesn't allow him these permissions on the folder. 
To be able to Edit and Delete entries in a folder, you must add this user in the Edit and Delete Permissions of the Support folder.
Best regards,
Érica Poirier
Thank you Erica for your reply,
My user type is "User" instead of "Restricted User". Is this causing the issue? I thought "User" is basically a "Restricted User" with all the permissions in the first picture.
Hello,
The user type "User" has indeed all rights (Add, Add in Root, Edit and Delete). But this doesn't allow permissions on Group Folders. You must add this user in the Edit and Delete permissions of the Support folder.
Or if you do not want to manage individual user in the Permissions section, you can create another group like Help Desk Manager and allow Edit and Delete permissions to this group. And then add the user John as a member of this AD Group.
Best regards,
Érica Poirier
I added John based on the second picture of your first post to edit and delete permission. Just John, and nobody else has edit and delete permission. John's user is a "User" type.
John still can not edit or delete.
Hello,
Do you have a Security Group set on this folder in the Security Group section?
If the Edit and Delete permissions are set to Default and there no inherited permissions, every user that have Edit and Delete permissions should be able to modify or delete entries.
Could you please post a print screen of the Permission tab of the Support Group Folder properties?
Best regards,
Érica Poirier
There is no security group setup on the folder. I deny everything on the root folder and leave nothing as defualt.
I attached the screenshot.
01.PNG
Hello,
So as I understand, John is a member of the RDM_ClientServices_Access role. And before adding this user in the Edit and Delete permissions, it was set to Never from the Root settings.
This is a very strange behavior and I am still unable to reproduce your issue. Could you please try to refresh the local cache file with CTRL+F5 on the keyboard when connected with user John?
Best regards,
Érica Poirier
I have the same issue in my enviroment.
RDM 12.9.2.0
DVLS 4.6.1
I have a user offi2010, this user have full rights on a Sub Folder.
The User can't see the Folder/Group in his Account.
It guess the rights have no effect.
The issue stays if i press CTRL+F5 as well.
Hello,
@MarcST1984, I will answer you on the following forum thread.
https://forum.devolutions.net/topic28406--security-groups.aspx?lastpage=1#post108880
Best regards,
Érica Poirier
That is correct
I refresh the client, created a new data source for john, reboot the client, reboot the server. John still can not edit or delete.
Here is more information:
I am using AD authentication, John is member of AD, login with windows credentials and RDM_ClientServices_Access it is an AD group (which is connected to the role). John is part of RDM_ClientServices_Access in AD. I do not have any security groups.
Hello,
Thank you very much for the information.
I have finally been able to reproduce your issue but this is a very tricky one. Are you using the NetBios username format in the data source configuration? When I connect using domain\username, I have the same behavior as yours.
The reason why I wasn't able to reproduce it, it was because I used the UPN username format (username@domain.loc).
Could you please give it a try to see if it works on your end?
Also, you could enabled the Windows Authentication feature if you are logged in with the same domain user account on your workstation. You would need to configure specific options to use the Windows Authentication feature. Please consult the following online help page for more information.
https://helpserver.devolutions.net/configure_windowsauthentication.htm
A ticket has been sent to our engineering department.
Best regards,
Érica Poirier
Thank you Erica!
Change the username to UPN format on the data source fix the permission issue. I couldn't believe, it was that simple. I have Windows Authentication feature enabled but not all of our users using the same account. I tested with the Windows Authentication feature as well and it is working perfectly. I am planning to use this feature for users with single username.
Is there a way to push the data source setting to all RDM clients remotely? I have a enterprise environment so it needs lots of time to fix them manually one by one.
I know there is a export option for data source but someone needs to import them manually to each client.