RE: Admin locked out of a library

VincentQuesnoit · ‎Jan 27, 2010

A friend of mine (such thingsonly happen to friends ! ) has set a restriction on a library : WTObject, ALL states, CONFIRMED, deny everything but read.

So I was wondering whether there was a workaround to get back in charge. Would restoring the LDAP from a backup do the trick ? even better is it safe to delete the ldap filescreated after the fatal date ? Or any other way ?

TIA,

Vincent Quesnoit

ddemay · ‎Jan 27, 2010

ACL's are stored in the db. Can you as site admin gain access to the
product by copying the URL when logged in as the restricted user and paste
it into a web browser who is logged as admin. You could also just use search
to get access as admin if the library doesn't show up in the admin's list.
The admin can then undo the acl setting blocking access in the policy admin
at that level.

Worst case, you can take system offline to normal users via apache, and
enable a wt.property to disable all access control so that you may get to
policy editor as that user. This is discussed in the business
administrators guide.

HTH,

Dave

_____

MikeLockwood · ‎Jan 27, 2010

The global back door (locked my keys in the trunk) is to set this property to false temporarily (wt.properties): wt.access.enforce=true

But - the manager of the context should not be included in CONFIRMED - doesn't sound right.

RussPratt · ‎Jan 28, 2010

One more reason that Deny rules are to be used sparingly and only when absolutely required by business cases. Just don't Grant anything but Read, and you probably get what you really need.

That said, the site or org admin user will be able to edit the Policy Domain for the Library via the Policy Admin. Either that user can "fix" things, or they can create an access rule giving the Library Manager user by NAME Full Control over WTObject in the Library, then the manager user can do the "fixing", then the Named User Rule can be removed.