Certain User Cannot See Profiles Assigned to Device

Certain User Cannot See Profiles Assigned to Device

Have a strange situation where a certain user account cannot see any profiles that are assigned to a device.  For instance, a device has 3 profiles assigned to it and when this particular user selects the profile drop-down there are no profiles listed.  When the user account was originally created, the user was not having this issue so it has appeared randomly at some point after being created. 

The permissions are being applied to these users from a group, and the rest of the users in the group are not having this issue.  The issue actually happened a while back and I just created a new user for him which worked for a while but now it's exhibiting the same issues.

Has anyone seen this or have any thoughts to resolve?  Happens on multiple browsers and also different computers so do not believe it's some kind of caching issues.

 

 

Thanks

  • 20 November 2019
  • SOTI MobiControl
  • 16 Answers
  • 0 Upvote
  • 4 Followers
  • 850 Views
    • 16 Answers
    • 0 Upvote
    • 4 Followers

16 Answers

Order By:   Standard | Newest | Votes
Raymond Chan | posted this 21 November 2019

 I see something similar in one of my customer's server recently.   What are the version and build numbers of your MobiControl server? 

  • 0
  • 0
Chris R | posted this 22 November 2019

We are on 13.4.0.5519.

  • 1
  • 1
Raymond Chan | posted this 24 November 2019

Unfortunately, my customer's server is running v14.4.3.1115, and it may have a differnt problem from your case.

  • 0
  • 0
Ravikant Mishra | posted this 25 November 2019

Can you please check if this user account is not part of other Groups? This may happen if user is part of multiple groups with conflicting access.

  • 0
  • 0
Chris R | posted this 25 November 2019

This user is only a part of a single group.

  • 0
  • 0
Chris R | posted this 05 December 2019

Have a 3rd user now where this is popping up.  Wanted to add that this happens from multiple computers so it's not some kind of weird caching issue.

 

I can login with my user account on my laptop and everything is fine.  I then logout and login with the profile-less user and the profiles are gone.

 

Is there a way to revoke a profile for a particular device via an android script?  It could at least be a viable workaround if there was a script to revoke a particular profile and then re-install it once finished working with a device.

  • 0
  • 0
christopheBERNARD | posted this 05 December 2019

Hello all,

@chris -> i'm not expert but for me by script mobicontrol it's not possible but you can use perhpas mobicontrol api 

 

URL/MobiControl/api/docs/Index#/

 

 

  • 0
  • 0
Johnathon Marshall | posted this 12 December 2019

I've had a similar issue before which was resolved when I recreated the user.

  • 0
  • 0
Sascha Möller | posted this 16 December 2019

Hi Chris,

 

you must add the user account to your profiles:

 

[Profiles Tab] / [YOUR Profile] / [Edit Permissions]:

 

 

We had the same issue after upgrading our enviroment.

We created a local soti-group and added this group to all profiles and users (its working for soti 13.X and 14.X).

The local soti-group has no permissions (Global Permissions or Device Group Permissions).

 

Regards,

Sascha

  • 0
  • 0
Chris R | posted this 17 December 2019

Our issue is actually viewing the profiles at the device level and selecting the Profiles pane to the right.  We have a user group with 18 users in there, and there are 2-3 who just cannot see the profiles assigned to any devices and everyone else in the group can.

 

 

  • 0
  • 0
Sascha Möller | posted this 17 December 2019

Hi Chris,

we had the same issue with the profile-view in the device-details. Only members of the mobicontrol administrator could view the profiles in the device details. All other users or user groups could not list profiles. We were able to solve the issue by adding all profiles and users to one group.

If that doesn't work for you, could you please check the permissions for the users in the database?

Table: SecurityPrincipal; Column: RightsGranted / RightsDenied

The value must be the same for your users in one group.

Regards, Sascha

  • 0
  • 0
Chris R | posted this 17 December 2019

Here are the database values for the particular User in question and also the group they are a member of.  I just had a new user report this to me this morning as well with the same issue.  The user this morning has been a part of this group for over 2 years and just now is seeing the issue.

 

 

 

User/Group      RightsGranted               RightsDenied

Group              1161479415926020       3271751431598842

User                 0                                 0

 

 

Should the user show the same RightsGranted and RightsDenied values as the group in the database?

  • 0
  • 0
Chris R | posted this 17 December 2019

I created a new user and assigned permissions manually instead of attaching the user to the group in question.  On initial look, device profiles were still not visible although security permissions looked like they should have access.

 

I then went to the profile security and added the user with read-only permissions to the profile and the new user can now see the profile from the device screen and is able to revoke/install it like normal.

 

I guess I'm a little confused as I've never had to do this for any users, and it's not affecting all users.

  • 0
  • 0
Sascha Möller | posted this 17 December 2019

Hi Chris,

 

have you updated your environment? We had the same issue after upgrading our environment.

 

I recommend you create a group and add all users and profiles. The group will automatically be a member of new profiles.

The group does not require any permissions (Global Permissions or Device Group Permissions). The group is only member of all profiles.

 

Regards,

Sascha

  • 0
  • 0
Chris R | posted this 17 December 2019

We recently did a maintenance release to latest 13.4 versions.  However, we were having this issue prior to that update also.

 

I wrote a SQL script to insert records into the UserAccessControl table to get what I needed for our main group.  We have other groups that should only see one profile so now I'll have to granularly create these permission relationships and it's easier in SQL (for me at least).

I don't think SOTI really supports direct SQL modifications, but script below is what I'm using to associate a user group to a profile.

 

declare @group nvarchar(100) = 'GroupName'
declare @profile nvarchar(250) = 'ProfileName'
declare @catID int
declare @princID int

set @princID = (SELECT PrincipalId FROM SecurityPrincipal WHERE PrincipalType = 0 and PrincipalName = @group)
set @catID = (SELECT CatalogueItemId from CatalogueItem where Name = @profile and IsDeleted = 0 and CatalogueItemTypeId = 1)

INSERT INTO UserAccessControl (PrincipalId, CatalogueItemId, CanView, CanEdit)
VALUES (@princID, @catID, 1, 0)

 

 

  • 0
  • 0
Sascha Möller | posted this 18 December 2019

Hi Chris,

we also used a sql-statement to add our group to all profiles.

Regards, Sascha

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback