Security: Individual Override permission changes in version 2016

Jonathan Semones -

Starting in Lucity 2016, Lucity will no longer use individual override permissions. Some individual override permissions can be auto-converted to group permissions automatically after the upgrade, but some permissions must be handled manually.  This article discusses some of the techniques for finding and resolving these now.

We recommend you resolve these as soon as possible and stop using individual overrides.  All of the techniques below will work on all historic versions of Lucity, there is no need to wait to upgrade to Lucity 2016 to make these changes.

 

Instructions for users on Lucity 2015r2:

You can check for the permissions using the Data Quality tool.  First you will need to load a set of queries into the data quality tool that we have developed to find Individual Override permissions.  The queries are contained in the .xml file in the attached .zip file.  Users can install this file by copying it to their machine in the %LucityDesktopInstall%\bin\Data directory (for example c:\program files (x86)\Lucity\bin\Data).  It will overwrite an existing XML file.

This file can be installed on 2015r2 (regardless of service pack).  In order to be able to run this query on Lucity 2015r2, you must alter the system settings on the General tab to allow the USER_INFO table to be queried.  This can be done by opening the Lucity Administration Tools > System > Settings > General tab and  removing user_info| as seen below:

 

Once this file is copied it, the 2 new queries are available in the Data Quality tool in the Sys Config query suite.  (Note:  starting in Lucity 2016 these queries will appear under the User suite)

 

The Error query is the one to pay close attention to because these can’t be converted automatically.  You must resolve these if you want to maintain your current permission state with Lucity 2016.  Instructions are provided in the tool for our recommendations on how to convert the individual permissions to group permissions.  Our recommendation is to:

  1. duplicate the existing group that has the denies,
  2. remove the denies from the new group that are overridden by the individual’s grants,
  3. move the individual from the old group to the new group.

 

Instructions for clients on Lucity 2015 and earlier:

Clients on earlier versions can use the following queries to review individual overrides that should be converted.

This query shows items we will automatically convert to group permissions for them for Lucity 2016.  It is not necessary to manually address the items returned in this query:

select U.INITIALS, U.LAST_NAME, U.FIRST_NAME, mm.MODULE_LICENSE, mm.MODULE_DESCRIPTION, mm.KEYID as ModuleID, m.PERMISSIONSID, I.PERMISSIONS_STATUS
from INDIV_OVERRIDE I left join user_info U on U.Initials = I.Initials left join MODULE_PERMISSIONS m on m.keyid = i.PERMISSIONSID left join modules mm on mm.KEYID = m.MODULEID
order by U.INITIALS, MODULE_LICENSE, MODULE_DESCRIPTION, PERMISSIONSID

 

These queries shows items we cannot automatically convert and will be lost in the Lucity 2016 upgrade.  They must be manually addressed:

select m.Program_Name, m.Module_Description, mp.PermissionsID, g.Group_Name, i.Initials
from Group_Permissions g inner join Indiv_OverRide i on g.PermissionsID=i.PermissionsID inner join Module_Permissions mp on mp.KeyID = g.PermissionsID
inner join modules m on m.keyid = mp.ModuleID where g.Permissions_Status=0
and i.Permissions_Status=1
order by 1,2,3,4

 

The above should be resolved by:

  1. duplicating the existing group that has the denies,
  2. removing the denies from the new group that are overridden by the individual’s grants,
  3. moving the individual from the old group to the new group.
Have more questions? Submit a request

Comments