Coming soon: Your brand new Help Center & Community! Get a sneak-peek here

Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

ADMIN: Not an API Question, therefore moved to Tech forums...

Hi Guys, i'm getting this error after upgrading from 8.4 to 8.5 at a customer site, for some users when they try to access Service. S&M is working just fine. 

The following message is logged in Service' log folder:

ticket8.5.0000.0: NetServerException (NetServer exception: Service call User.SaveUser failed with exception
User.SaveUser

Sentry denies Write access:

) in :-1

And here's the netserver log:

Level:   Error
At:      09:12:55

Element:
Message: Service call User.SaveUser failed with exception
User.SaveUser
Type:    SuperOffice.Exceptions.SoException
Details:
   at SuperOffice.CRM.Services.Implementation.UserAgentLocal.SaveUser(User user)
   at SuperOffice.Services88.UserAgent.SaveUser(User user)
   at SuperOffice.Services88.WcfService.WcfUserService.<>c__DisplayClass8_0.<SaveUser>b__0(UserAgent agent, SaveUserResponse response)
   at SuperOffice.Services88.WcfService.SoWcfService`1.Execute[TRequest,TResponse](String methodName, TRequest request, OnExecute`1 execute)

Inner Element:
Message: Sentry denies Write access: 
Type:    SuperOffice.Exceptions.SoSentryException
Details:
   at SuperOffice.CRM.Security.FieldRight.DemandRight(EFieldRight right)
   at SuperOffice.CRM.Entities.Person.set_Country(CountryRow value)
   at SuperOffice.CRM.Services.Implementation.UserConversionHelper.UpdateFromUser(SoUser soUser, User user, Dictionary`2 validator)
   at SuperOffice.CRM.Services.Implementation.BL.UserImplementation.GetSoUser(User user, Dictionary`2 validator)
   at SuperOffice.CRM.Services.Implementation.BL.UserImplementation.Save(User user)
   at SuperOffice.CRM.Services.Implementation.UserAgentLocal.SaveUser(User user)

Environment info:
SingleThreadMode:               False
Database type:                  MSSQL - 11
Database:                       \\\
SerialNumber:                   HIDDEN
Version:                        SuperOffice 8.5 R15 NetServer 8.5 Release (Build: Release85_C-2020.10.12-01)
Version.Assembly:               8.5.0.0
Version.File:                   8.5.7590.1002
Version.BuildLabel:             Release85_C-2020.10.12-01
ContextIdentifier:              Default
MachineName:                    HIDDEN
StackTrace:                        at SuperOffice.Diagnostics.SoLogger.LogError(Exception ex)
   at SuperOffice.Services88.WcfService.SoWcfService`1.Execute[TRequest,TResponse](String methodName, TRequest request, OnExecute`1 execute)
   at SuperOffice.Services88.WcfService.WcfUserService.SaveUser(SaveUserRequest request)
   at SyncInvokeSaveUser(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
   at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)
   at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
   at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
   at System.ServiceModel.Dispatcher.ChannelHandler.OnAsyncReceiveComplete(IAsyncResult result)
   at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
   at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
   at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
   at System.Runtime.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread)
   at System.Runtime.InputQueue`1.EnqueueAndDispatch(T item, Action dequeuedCallback, Boolean canDispatchOnThisThread)
   at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, Action dequeuedCallback, Boolean canDispatchOnThisThread)
   at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.CompleteParseAndEnqueue(IAsyncResult result)
   at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.HandleParseIncomingMessage(IAsyncResult result)
   at System.Runtime.AsyncResult.SyncContinue(IAsyncResult result)
   at System.ServiceModel.Channels.HttpPipeline.EmptyHttpPipeline.BeginProcessInboundRequest(ReplyChannelAcceptor replyChannelAcceptor, Action dequeuedCallback, AsyncCallback callback, Object state)
   at System.ServiceModel.Channels.HttpChannelListener`1.HttpContextReceivedAsyncResult`1.ProcessHttpContextAsync()
   at System.ServiceModel.Channels.HttpChannelListener`1.BeginHttpContextReceived(HttpRequestContext context, Action acceptorCallback, AsyncCallback callback, Object state)
   at System.ServiceModel.Activation.HostedHttpTransportManager.HttpContextReceived(HostedHttpRequestAsyncResult result)
   at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest()
   at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest()
   at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(Object state)
   at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
   at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
   at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

The customer is using custom user roles, and we found a workaround that seems to work everytime, and one that works most of the time:

1. Assign admin role to the user temporary, log in to SO and thereafter Service - Service loads just fine. Revert the role back to the original role, and Service still works fine.

2. Ask the user to set the locale locally on the client via the local settings menu. This usually works, but with some users it doesn't.

 

So in short, the problem seems to be isolated to user role permissions, and or / the locale of the user. But since it does not tell me which permission it needs, it's pretty hard to correct for it.

 

Heres the configuration for the user role that has the problem:

Any help would be greatly appreciated.

RE: Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

Hi,

Believe this is related to your dataright setup;

Assume that you are not able to edit your own person card in CRM.web?

 

Von: Michel Krohn-Dale 19. Nov 2020

RE: Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

It's correct that they shouldn't be able to edit their own person card, nor any other person card. Data is not born in SuperOffice, and they are owned by another system, so companies and persons should not be edited by normal users in any circumstance, and they've always not been able to do so. The exception of course is the users person cards, which is of course "born" in superoffice, but via Adwiza's AD Manager.

 

But how is that related to this error? It seems to me, that the right is regarding their ejuser / locale setting in some way. 

 

It has worked fine before the upgrade in 8.4.

Von: Dennis Mortensgaard 19. Nov 2020

RE: Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

I figured out i could toggle the problem on and off by changing the language inside Service:

The users language is Danish in the ejuser table, but the web gui always defaults to english unless the cookie for localization has been set. I initially thought the problem was solved permanently after changing the language, but it turns out, the problem occurs again when changing back to english - same user.saveuser error.

 

So i tried manually changing the ejuser column language to "en" instead of "dk" for the user, and now English language is working, and danish language is not.

 

So it seems the right that is missing, is the right for the user to write to the ejuser table on their own record.

 

So i believe this issue can be resolved by getting which right is needed and assigning it to the user role.

 

Anyone who can tell me which right SO needs to update the ejuser table?

 

(The joker in this, is  that the reason why it works when updating the user to an administrator role, logging in to service and changing the role back again, is that it gets to change the language into danish in the ejuser table - but if we try to change it again after they are back in their original role, they can't change the ejuser table again..)

Von: Dennis Mortensgaard 19. Nov 2020

RE: Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

HI Dennis!

I believe the key is in the error message:

Details:
   at SuperOffice.CRM.Security.FieldRight.DemandRight(EFieldRight right)
   at SuperOffice.CRM.Entities.Person.set_Country(CountryRow value)
   at SuperOffice.CRM.Services.Implementation.UserConversionHelper.UpdateFromUser(SoUser soUser, User user, Dictionary`2 validator)
   at SuperOffice.CRM.Services.Implementation.BL.UserImplementation.GetSoUser(User user, Dictionary`2 validator)
   at SuperOffice.CRM.Services.Implementation.BL.UserImplementation.Save(User user)
   at SuperOffice.CRM.Services.Implementation.UserAgentLocal.SaveUser(User user)

When trying to set the Person.Country row, there is a DemandRight statement there to block anyone that does not have right to the Person.Country table, which I believe is tied to the Contact (Person) rights. The image containing the rights show that Person (Contact) only has Read rights, and therefore this fails.

I believe, if it is the current user updating his/her user - and person info, setting the My Own rights to Update would fix this error.

If users are not allowed to update their own records, and only certain roles are, then you will likely need a custom sentry (or preference sentry) for this case.

Hope this helps.

Von: Tony Yates 19. Nov 2020

RE: Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

Thanks Tony, but i don't understand if the contact (person) right is tied with their user in the ejuser table - i thought that was about the person entity only in S&M - which users should not be able to update - and they never needed to be able to - as said earlier, we did not have this problem prior to version 8.5 R15, with the same role configuration.

Furthermore, since they did not create their own person card in S&M (or is associated with it as our contact), then do they actually "own" their own person card after all - the sentry rules is based on the associate_id field on the person table, right?

 

So it seems like i need to look into custom sentry, or a preference sentry - are there any direction you can point me in, since i've only tried working with custom sentry rules via the preferences, which i have pretty bad experience with on customers this size (800 users)

 

Thanks

Von: Dennis Mortensgaard 20. Nov 2020

RE: Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

This should be fixed in the next Nine online release (9.2 R04) and the upcoming 8.5 R16 release.

Von: Erik Knudsen 1. Dez 2020

RE: Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

Hi Erik

Could you please provide an bug-ID for this?

Thanks

Adam

Von: Adam Miller 3. Dez 2020

RE: Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

Hi Adam,

We have two bug id's associated with this issue and the changeset associated with the fix.

  • 77384 
  • 76293

I'm not sure why these are not visible in the public Bugs and Wishes page though... Internally they are marked as resolved and the changeset confirms changes to the person sentry to fix this problem.

Best regards

Von: Tony Yates 3. Dez 2020

RE: Service call User.SaveUser failed with exception User.SaveUser - Sentry denies write access (But does not tell which sentry rule it needs)

HI Tony

Thanks for the reply.

Best regards

Von: Adam Miller 3. Dez 2020