Hi All,

Since we upgraded to v22, we have many problems. The newest error is that the user can start a process insance on the Process Portal through a Launch link, but gets "The process failed to launch" alert message and the browser logs a 401 Unauthorized error for the ...process?action=start... REST call behind.

The user is member of at least one group assigned to the team which is set for Expose to start and for Default lane team. The Human task's assignment is lane, last user. So it seems that the user can start a process instance on the Process Portal, but the REST API refuses the call of the Portal because of an unauthorized error. We don't understand how is it possible?

What's wrong, how could we fix it?

thx,

------------------------------
Laszlo
------------------------------

Meanwhile we raised the logging levels, and now we get this in the log:

[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject isOutdated RETURN isOutdated: false
[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsers RETURN resultUsers.size(): 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsersIfNotOutdated RETURN size:142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCache getAllUsers RETURN 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupCore     < com.lombardisoftware.server.core.GroupCore getGroupMemberIds RETURN
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isMemberOf RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isUserEnabledByParticipant RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 Authorization < com.ibm.bpm.auth.AuthorizationForBPDs canStartProcess RETURN canStartProcess=false
[4/21/23 15:19:41:310 CEST] 000001c3 transaction   1   Transaction 251724752 has been rolled back.
[4/21/23 15:19:41:310 CEST] 000001c3 Instrumentati 3   Instrumentation period 1 ended.
[4/21/23 15:19:41:313 CEST] 000001c3 StartActionHa < com.ibm.bpm.rest.impl.process.StartActionHandler handleActionGetModel RETURN
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    > RestHelper getExceptionResponse ENTRY com.ibm.bpm.wle.api.NotAuthorizedActionException CWTBG0549E: You are not authorized to perform the
'start' action. org.apache.wink.server.internal.contexts.HttpHeadersImpl@34a96d6f null
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    3   Encountered exception has message: CWTBG0549E: You are not authorized to perform the 'start' action.
                                 com.ibm.bpm.wle.api.NotAuthorizedActionException: CWTBG0549E: You are not authorized to perform the 'start' action.

Maybe this helps to find out what the problem is. We simply do not understand...

------------------------------
Laszlo

Original Message:
Sent: Fri April 21, 2023 07:49 AM
From: Laszlo Kertesz
Subject: Unauthorized error after starting a process instance from Portal v22

Hi All,

Since we upgraded to v22, we have many problems. The newest error is that the user can start a process insance on the Process Portal through a Launch link, but gets "The process failed to launch" alert message and the browser logs a 401 Unauthorized error for the ...process?action=start... REST call behind.

The user is member of at least one group assigned to the team which is set for Expose to start and for Default lane team. The Human task's assignment is lane, last user. So it seems that the user can start a process instance on the Process Portal, but the REST API refuses the call of the Portal because of an unauthorized error. We don't understand how is it possible?

What's wrong, how could we fix it?

thx,

------------------------------
Laszlo
------------------------------

ProcessPortal is a process app, too. The Portal dashboard is exposed to the team All Users, which by default includes a group "tw_allusers". BAW manages membership in that group automatically, however, it is possible to remove users from this group.

In your environment, there are "just" 142 users in All Users and the current user is not among them. From current data it is not possible to tell how he would have been removed.

To troubleshoot, you can review members of the All Users team in the process app for Process Portal in Process Admin Console. Again, expectation is that there is a single group as member: tw_allusers.
Then you can check membership in tw_allusers and you should expect to the this user in the list. If this is not the case, you can add it manually.

Meanwhile we raised the logging levels, and now we get this in the log:

[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject isOutdated RETURN isOutdated: false
[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsers RETURN resultUsers.size(): 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsersIfNotOutdated RETURN size:142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCache getAllUsers RETURN 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupCore     < com.lombardisoftware.server.core.GroupCore getGroupMemberIds RETURN
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isMemberOf RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isUserEnabledByParticipant RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 Authorization < com.ibm.bpm.auth.AuthorizationForBPDs canStartProcess RETURN canStartProcess=false
[4/21/23 15:19:41:310 CEST] 000001c3 transaction   1   Transaction 251724752 has been rolled back.
[4/21/23 15:19:41:310 CEST] 000001c3 Instrumentati 3   Instrumentation period 1 ended.
[4/21/23 15:19:41:313 CEST] 000001c3 StartActionHa < com.ibm.bpm.rest.impl.process.StartActionHandler handleActionGetModel RETURN
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    > RestHelper getExceptionResponse ENTRY com.ibm.bpm.wle.api.NotAuthorizedActionException CWTBG0549E: You are not authorized to perform the
'start' action. org.apache.wink.server.internal.contexts.HttpHeadersImpl@34a96d6f null
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    3   Encountered exception has message: CWTBG0549E: You are not authorized to perform the 'start' action.
                                 com.ibm.bpm.wle.api.NotAuthorizedActionException: CWTBG0549E: You are not authorized to perform the 'start' action.

Maybe this helps to find out what the problem is. We simply do not understand...

------------------------------
Laszlo

Original Message:
Sent: Fri April 21, 2023 07:49 AM
From: Laszlo Kertesz
Subject: Unauthorized error after starting a process instance from Portal v22

Hi All,

Since we upgraded to v22, we have many problems. The newest error is that the user can start a process insance on the Process Portal through a Launch link, but gets "The process failed to launch" alert message and the browser logs a 401 Unauthorized error for the ...process?action=start... REST call behind.

The user is member of at least one group assigned to the team which is set for Expose to start and for Default lane team. The Human task's assignment is lane, last user. So it seems that the user can start a process instance on the Process Portal, but the REST API refuses the call of the Portal because of an unauthorized error. We don't understand how is it possible?

What's wrong, how could we fix it?

thx,

------------------------------
Laszlo
------------------------------

Hi Jens,

The problem is that for the user the Portal displays the process starting link, but when he/she click on it, he/she get an unauthorized error. This is what we don't understand. Only authorized users can see the process starter link, so they must be able to start the process. But BAW say: not outhorized.

Thx,

ProcessPortal is a process app, too. The Portal dashboard is exposed to the team All Users, which by default includes a group "tw_allusers". BAW manages membership in that group automatically, however, it is possible to remove users from this group.

In your environment, there are "just" 142 users in All Users and the current user is not among them. From current data it is not possible to tell how he would have been removed.

To troubleshoot, you can review members of the All Users team in the process app for Process Portal in Process Admin Console. Again, expectation is that there is a single group as member: tw_allusers.
Then you can check membership in tw_allusers and you should expect to the this user in the list. If this is not the case, you can add it manually.

Meanwhile we raised the logging levels, and now we get this in the log:

[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject isOutdated RETURN isOutdated: false
[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsers RETURN resultUsers.size(): 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsersIfNotOutdated RETURN size:142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCache getAllUsers RETURN 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupCore     < com.lombardisoftware.server.core.GroupCore getGroupMemberIds RETURN
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isMemberOf RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isUserEnabledByParticipant RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 Authorization < com.ibm.bpm.auth.AuthorizationForBPDs canStartProcess RETURN canStartProcess=false
[4/21/23 15:19:41:310 CEST] 000001c3 transaction   1   Transaction 251724752 has been rolled back.
[4/21/23 15:19:41:310 CEST] 000001c3 Instrumentati 3   Instrumentation period 1 ended.
[4/21/23 15:19:41:313 CEST] 000001c3 StartActionHa < com.ibm.bpm.rest.impl.process.StartActionHandler handleActionGetModel RETURN
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    > RestHelper getExceptionResponse ENTRY com.ibm.bpm.wle.api.NotAuthorizedActionException CWTBG0549E: You are not authorized to perform the
'start' action. org.apache.wink.server.internal.contexts.HttpHeadersImpl@34a96d6f null
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    3   Encountered exception has message: CWTBG0549E: You are not authorized to perform the 'start' action.
                                 com.ibm.bpm.wle.api.NotAuthorizedActionException: CWTBG0549E: You are not authorized to perform the 'start' action.

Maybe this helps to find out what the problem is. We simply do not understand...

------------------------------
Laszlo

Original Message:
Sent: Fri April 21, 2023 07:49 AM
From: Laszlo Kertesz
Subject: Unauthorized error after starting a process instance from Portal v22

Hi All,

Since we upgraded to v22, we have many problems. The newest error is that the user can start a process insance on the Process Portal through a Launch link, but gets "The process failed to launch" alert message and the browser logs a 401 Unauthorized error for the ...process?action=start... REST call behind.

The user is member of at least one group assigned to the team which is set for Expose to start and for Default lane team. The Human task's assignment is lane, last user. So it seems that the user can start a process instance on the Process Portal, but the REST API refuses the call of the Portal because of an unauthorized error. We don't understand how is it possible?

What's wrong, how could we fix it?

thx,

------------------------------
Laszlo
------------------------------

Hi Laszlo,

I understand your problem statement and it is supposed to work. 
However,
1) there is "authorization to start your process"
2) there is "authorization to access Process Portal"

The user is authorized to start the process, but the link appears to relate to Process Portal, which he is not authorized to use. By default all users can use Process Portal, but this may have been reconfigured in your environment. Therefore, I am suggesting to troubleshoot your Portal authorization - including group memberships of this user.
From the error it appears as if the user was not a member of tw_allusers - which is unexpected. 

Hi Jens,

The problem is that for the user the Portal displays the process starting link, but when he/she click on it, he/she get an unauthorized error. This is what we don't understand. Only authorized users can see the process starter link, so they must be able to start the process. But BAW say: not outhorized.

Thx,

ProcessPortal is a process app, too. The Portal dashboard is exposed to the team All Users, which by default includes a group "tw_allusers". BAW manages membership in that group automatically, however, it is possible to remove users from this group.

In your environment, there are "just" 142 users in All Users and the current user is not among them. From current data it is not possible to tell how he would have been removed.

To troubleshoot, you can review members of the All Users team in the process app for Process Portal in Process Admin Console. Again, expectation is that there is a single group as member: tw_allusers.
Then you can check membership in tw_allusers and you should expect to the this user in the list. If this is not the case, you can add it manually.

Meanwhile we raised the logging levels, and now we get this in the log:

[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject isOutdated RETURN isOutdated: false
[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsers RETURN resultUsers.size(): 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsersIfNotOutdated RETURN size:142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCache getAllUsers RETURN 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupCore     < com.lombardisoftware.server.core.GroupCore getGroupMemberIds RETURN
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isMemberOf RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isUserEnabledByParticipant RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 Authorization < com.ibm.bpm.auth.AuthorizationForBPDs canStartProcess RETURN canStartProcess=false
[4/21/23 15:19:41:310 CEST] 000001c3 transaction   1   Transaction 251724752 has been rolled back.
[4/21/23 15:19:41:310 CEST] 000001c3 Instrumentati 3   Instrumentation period 1 ended.
[4/21/23 15:19:41:313 CEST] 000001c3 StartActionHa < com.ibm.bpm.rest.impl.process.StartActionHandler handleActionGetModel RETURN
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    > RestHelper getExceptionResponse ENTRY com.ibm.bpm.wle.api.NotAuthorizedActionException CWTBG0549E: You are not authorized to perform the
'start' action. org.apache.wink.server.internal.contexts.HttpHeadersImpl@34a96d6f null
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    3   Encountered exception has message: CWTBG0549E: You are not authorized to perform the 'start' action.
                                 com.ibm.bpm.wle.api.NotAuthorizedActionException: CWTBG0549E: You are not authorized to perform the 'start' action.

Maybe this helps to find out what the problem is. We simply do not understand...

------------------------------
Laszlo

Original Message:
Sent: Fri April 21, 2023 07:49 AM
From: Laszlo Kertesz
Subject: Unauthorized error after starting a process instance from Portal v22

Hi All,

Since we upgraded to v22, we have many problems. The newest error is that the user can start a process insance on the Process Portal through a Launch link, but gets "The process failed to launch" alert message and the browser logs a 401 Unauthorized error for the ...process?action=start... REST call behind.

The user is member of at least one group assigned to the team which is set for Expose to start and for Default lane team. The Human task's assignment is lane, last user. So it seems that the user can start a process instance on the Process Portal, but the REST API refuses the call of the Portal because of an unauthorized error. We don't understand how is it possible?

What's wrong, how could we fix it?

thx,

------------------------------
Laszlo
------------------------------

No. The user is authorized to acces the portal. The user is authorized to start the process. The user is authorized to execute the first task of the process.

The user is member of tw_allusers, member of the team authorized to start the process and member of the team authorized to execute the first task of the process. 

But when he starts the process (on the portal, using the process starter menu in the Launch section which is visible for him because he is authorized to see both the portal and the process starter menu), gets the unauthorized error mentioned.

This the problem.

Hi Laszlo,

I understand your problem statement and it is supposed to work. 
However,
1) there is "authorization to start your process"
2) there is "authorization to access Process Portal"

The user is authorized to start the process, but the link appears to relate to Process Portal, which he is not authorized to use. By default all users can use Process Portal, but this may have been reconfigured in your environment. Therefore, I am suggesting to troubleshoot your Portal authorization - including group memberships of this user.
From the error it appears as if the user was not a member of tw_allusers - which is unexpected. 

Hi Jens,

The problem is that for the user the Portal displays the process starting link, but when he/she click on it, he/she get an unauthorized error. This is what we don't understand. Only authorized users can see the process starter link, so they must be able to start the process. But BAW say: not outhorized.

Thx,

ProcessPortal is a process app, too. The Portal dashboard is exposed to the team All Users, which by default includes a group "tw_allusers". BAW manages membership in that group automatically, however, it is possible to remove users from this group.

In your environment, there are "just" 142 users in All Users and the current user is not among them. From current data it is not possible to tell how he would have been removed.

To troubleshoot, you can review members of the All Users team in the process app for Process Portal in Process Admin Console. Again, expectation is that there is a single group as member: tw_allusers.
Then you can check membership in tw_allusers and you should expect to the this user in the list. If this is not the case, you can add it manually.

Meanwhile we raised the logging levels, and now we get this in the log:

[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject isOutdated RETURN isOutdated: false
[4/21/23 15:19:41:308 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsers RETURN resultUsers.size(): 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCacheObject getAllUsersIfNotOutdated RETURN size:142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupMemberCa < com.lombardisoftware.server.core.cache.GroupMemberCache getAllUsers RETURN 142
[4/21/23 15:19:41:309 CEST] 000001c3 GroupCore     < com.lombardisoftware.server.core.GroupCore getGroupMemberIds RETURN
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isMemberOf RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 AuthUtils     < com.ibm.bpm.auth.AuthUtils isUserEnabledByParticipant RETURN false
[4/21/23 15:19:41:309 CEST] 000001c3 Authorization < com.ibm.bpm.auth.AuthorizationForBPDs canStartProcess RETURN canStartProcess=false
[4/21/23 15:19:41:310 CEST] 000001c3 transaction   1   Transaction 251724752 has been rolled back.
[4/21/23 15:19:41:310 CEST] 000001c3 Instrumentati 3   Instrumentation period 1 ended.
[4/21/23 15:19:41:313 CEST] 000001c3 StartActionHa < com.ibm.bpm.rest.impl.process.StartActionHandler handleActionGetModel RETURN
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    > RestHelper getExceptionResponse ENTRY com.ibm.bpm.wle.api.NotAuthorizedActionException CWTBG0549E: You are not authorized to perform the
'start' action. org.apache.wink.server.internal.contexts.HttpHeadersImpl@34a96d6f null
[4/21/23 15:19:41:314 CEST] 000001c3 RestHelper    3   Encountered exception has message: CWTBG0549E: You are not authorized to perform the 'start' action.
                                 com.ibm.bpm.wle.api.NotAuthorizedActionException: CWTBG0549E: You are not authorized to perform the 'start' action.

Maybe this helps to find out what the problem is. We simply do not understand...

------------------------------
Laszlo

Original Message:
Sent: Fri April 21, 2023 07:49 AM
From: Laszlo Kertesz
Subject: Unauthorized error after starting a process instance from Portal v22

Hi All,

Since we upgraded to v22, we have many problems. The newest error is that the user can start a process insance on the Process Portal through a Launch link, but gets "The process failed to launch" alert message and the browser logs a 401 Unauthorized error for the ...process?action=start... REST call behind.

The user is member of at least one group assigned to the team which is set for Expose to start and for Default lane team. The Human task's assignment is lane, last user. So it seems that the user can start a process instance on the Process Portal, but the REST API refuses the call of the Portal because of an unauthorized error. We don't understand how is it possible?

What's wrong, how could we fix it?

thx,

------------------------------
Laszlo
------------------------------