3DEXPERIENCE | 3DSwym BIOVIA Laboratory Informatics
Log in
BIOVIA Insight: Changed data source access permissions do not seem to take effect

DB

Program

BIOVIA Insight (all supported versions), BIOVIA Pipeline Pilot Queryservice components (all supported versions)

 

Operating System

All supported operating systems

 

Summary

If an administrator makes changes to the access rights for a data source, it initially appears that the modified access rights do not become active in BIOVIA Insight. This article describes the two typical causes that can lead to this problem and how to resolve them.

 

Background & Solution

Access permissions to data sources in BIOVIA Insight are typically handled through the membership of a user in a particular group or external claim along with particular access permissions set on the datasource for these groups. There are mainly two problems that an administrator may encounter in relation to giving a particular user access to a datasource:

  1. Pipeline Pilot reads the group membership of a user only at login so that changes to the group membership only become active at the next login. This problem therefore applies only to users whose group membership is changed while they are logged in. To resolve this problem the administrator must instruct the user to login again once he had changed the user's group membership. 

  2. The BIOVIA Queryservice (i.e. the Pipeline Pilot server component that manages access to the datasources) stores the metadata and access authorizations of the datasources in a cache for performance reasons. So if the access authorizations change, these changes are initially not effective, as the queryservice uses the unchanged cached data. To resolve this problem the cache data can be reset by calling the following API function of the queryservice:

    https://:/auth/queryservice/datasources?format=xml&types=Relational&refresh=true

Change the Pipeline Pilot server name and server port according to your installation. When calling this API function, you must authenticate with the Pipeline Pilot server, and specifically with an account that is a member of the 'QueryService/Administrators' group. Other typical administrative groups such as 'Insight/Administrators' and 'Platform/Administrators' are inherent members of  the 'QueryService/Administrators' group, so you can also make the API call from members of these groups. Likewise, the standard Pipeline Pilot and Foundation Hub administrators 'scitegicadmin' can also initiate this API call.

 

To summarize, at least one of the following two additional steps is required to activate modified access rights to datasources:

  • If an administrator has set the access rights to a specific datasource via the membership in a particular internal group or an external claim, and a user is added to or removed from this group, then this user must log in again in order to apply the changed group membership and subsequently the access rights assigned to this group.
  • If, on the other hand, the administrator has changed the actual access rights to the datasource, e.g. from DENY to USE DATA SOURCE, then the administrator must also reset the datasource cache of the Pipeline Pilot queryservice, using the API call as outlined above. This applies both if you have only changed the access rights and if you have changed the access rights in addition to the change to the group membership. Once the queryservice data cache is reset, the new access rights for this user will then become active the next time the application calls up the list of available datasources (e.g. when an Insight user calls up the Search option from the Insight Home screen).

About 3DEXPERIENCE Platform Terms Of Use Privacy Policy Cookies