When my user logs in on the browser and opens a document, a computed text field with the formula @UserRoles.
When this same user logs in through the notesclient and opens a document, the computed text field shows all the roles that are assigned to him…
My user has access to this database through a group. In the acl, this group is defined as a person group. The enforce a consistent acl is turned on…
I tried putting his name in the acl and then giving him the roles. From the client, all was well, but from the browser, it still only showed $$Webclient as the only role assigned to him…
I don’t know what else to try…
Incidently, this is a production database, and was working fine until today. Well, I guess until today. Today is when the user called. This database has been in production for 3 years.
Sounds like user is hitting the web site without authenticating and getting default access. Do you have an “Anonymous” entry in the acl set to no access?
You could always take a look at @UserNamesList but I suspect that you have the same problem.
You need to check if it is only this one user that gets the problem or whether other users are getting the problem and just haven’t mentioned it. Is this user a new user of the system. If so then check their person document in the NAB and also check which groups they are in.
I have run into this problem in various environments.
The solution is to put an explicit entry in the acl using the shortname and apply the necessary roles to it.
That means a person may have 2 entries in the ACL, one full name and one shortname. You can also assign different accesses and roles to the different short/long names and it works fine. I think this may actually be a feature.
This crops up at times when private/personal views are involved. SO I wonder if your application changed or he deleted his private views or added new ones.
The short name is only effective if you are forcing authentication of course.
I am wondering if perhaps also maybe you formerly had the shortname entries and they were erased from the ACL which generated the problem, or if this persons shortname in his person document somehow got changed.
In our person document for our Notes users/Browser users, we have a list of Usernames… Their short name, their abbreviated name, and their Common Name.
When we moved the short name to the bottom of the list as opposed to the top of the list, the user then had all of the roles they were supposed to have.
Which would make me happy, except not consistent. My person document has my short name appearing at the top of the list, and I still had all of my roles that I was assigned…
So, not sure excatly what the deal is. Plus, up until last week, this particular user had the roles assigned to him. His person document wasn’t changed… and all of the sudden it was no longer working.
A few years ago, our admin people instructed us to make sure that the short name appeared in the top of the list of user names… Now they are saying the short name needs to appear at the bottom of the list.
Based on their first instruction, we wrote our registration process to make sure short name appeared on the top of the list.
Ugh!
Anyway… somehow, the username order seems to make a difference…
And to throw more in the mix, we have another user who simply doesn’t have the short name appearing in the list of usernames at all, and she has all of the roles assigned her as well…
This brings back some distant memories. I don’t have a solution for you but here are some things you could look at.
Are you are using groups, and then assigning the groups to the roles ? If so then check which names are going into the groups. As far as I am aware, the names should be the full canonical name and not the shortname. But someone may correct me on this.
I also wonder if the groups are static or whether they are being updated by an agent periodically ? Could this agent have changed or errored ?
I’m running into this situation right now, with a web app that users subscribe to:
User subscribes to the site, defining email addr as username
User is added as a member of a group
Group name is in ACL of the site, with a role assigned that allows access to a specific view.
What I have found is:
– the first entry in the FullName field on the person doc MUST be the hierarchical name
– the hierarchical name must be included in the group
Otherwise, the user will NOT get the appropriate role assigned, and not have access to the desired view. The user can authenticate using his/her email addr, which is the SECOND entry in the FullName field; but the hiearchical name MUST be the first entry, otherwise the role will not be recognized.