We create analytic events by calling the SOAP interface AlarmServiceToken. We are unable to configure a user group to see those events. Members of the administrators group can see them, but no one else. How can we let ordinary users see the events?
Alarm or events cannot be seen if the user does not have rights to see the source of that event or alarm, so please check if that is the case.
If this my first idea does not fit I wonder if you can tell how you do the analytics event for me to test it here at the Milestone test lab.
The users have access to the cameras, so that is not the problem. After some trial and error testing it appears the users can view the events if we enable full access to the Access Control feature on the Overall Security tab for the role. It doesn’t make sense, but it works. Does the Access Control feature enable other permissions?
BTW, we are running Milestone 2022 R3.
Let me get back to you with more info about how we create the analytics events.
@Bo Ellegård Andersen (Milestone Systems) Here is how we create the event with a bounding box connected to a camera.
<soap-env:Envelope xmlns:soap-env=\"http://schemas.xmlsoap.org/soap/envelope/\">
<soap-env:Header xmlns:wsa=\"http://www.w3.org/2005/08/addressing\">
<wsa:Action>http://videoos.net/2/CentralServerAlarmCommand/IAlarmCommandToken/AddEvent</wsa:Action>
<wsa:MessageID>urn:uuid:ccfe9487-6b9d-49f4-b51f-ce2c379c3448</wsa:MessageID>
<wsa:To>http://fqdn-to-our-management-server:22331/Central/AlarmServiceToken</wsa:To>
</soap-env:Header>
<soap-env:Body>
<ns0:AddEvent xmlns:ns0=\"http://videoos.net/2/CentralServerAlarmCommand\">
<ns0:token>TOKEN#843a9d56-40b7-4248-9509-e4dffaf17755#fqdn-to-our-management-server//ServerConnector#</ns0:token>
<ns0:baseEvent xmlns:ns3=\"urn:milestone-systems\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"ns3:AnalyticsEvent\">
<ns1:EventHeader xmlns:ns1=\"urn:milestone-systems\">
<ns1:ID>a2506970-c29e-4bf6-a277-65ff1af147d6</ns1:ID>
<ns1:Timestamp>2023-06-27T11:46:00.180000Z</ns1:Timestamp>
<ns1:Message>Our event message</ns1:Message>
<ns1:Source>
<ns1:FQID>
<ns1:ServerId>
<ns1:Type>XPCORS</ns1:Type>
<ns1:Hostname>fqdn-to-our-recording-server</ns1:Hostname>
<ns1:Port>7563</ns1:Port>
<ns1:Id>8a2a1065-2423-4397-a93e-ebe28d7c8c41</ns1:Id>
<ns1:Scheme>http</ns1:Scheme>
</ns1:ServerId>
<ns1:ParentId>8a2a1065-2423-4397-a93e-ebe28d7c8c41</ns1:ParentId>
<ns1:ObjectId>6d311ca5-2845-4620-9880-10c7fa1b4a01</ns1:ObjectId>
<ns1:FolderType>0</ns1:FolderType>
<ns1:Kind>5135ba21-f1dc-4321-806a-6ce2017343c0</ns1:Kind>
</ns1:FQID>
</ns1:Source>
</ns1:EventHeader>
<ns2:ObjectList xmlns:ns2=\"urn:milestone-systems\">
<ns2:Object>
<ns2:BoundingBox>
<ns2:Top>0.33611111111111114</ns2:Top>
<ns2:Left>0.16302083333333334</ns2:Left>
<ns2:Bottom>0.6703703703703704</ns2:Bottom>
<ns2:Right>0.22447916666666667</ns2:Right>
<ns2:Color>
<ns2:A>200</ns2:A>
<ns2:R>255</ns2:R>
<ns2:G>0</ns2:G>
<ns2:B>0</ns2:B>
</ns2:Color>
</ns2:BoundingBox>
</ns2:Object>
</ns2:ObjectList>
</ns0:baseEvent>
</ns0:AddEvent>
</soap-env:Body>
</soap-env:Envelope>
Note that our management server and recording server are two different machines. The FQID the event is connected to is not the management server. Is that a problem?
And regarding the Access Control workaround. We have verified it on two different installations now. Without full access the users can’t se any events we create. With full access they can see them.
Additional clarifying questions…
How do you read the events?
If you use the Smart Client Alarm List and set it up to show events, do you see the events? If using this method do you still see the same behavior on a Role (user group) having to have the Access Control permission?
@Bo Ellegård Andersen (Milestone Systems) Exactly. We have a view in Smart Client with Alarm List (datasource set to “Event”) to list the events and Alarm Preview to see the image from the camera with the bounding box supplied when we create the event. When we add full access to the Access Control feature the users in the role can see the events. Otherwise the list is empty for them.
I cannot reproduce this in the Milestone test lab.
Please test if you see the same behavior if not using your program. If you instead trigger the analytics event from the Management Client, when looking at the configured analytics event there is a test button, if you trigger the analytics event by use of this test button, is the behavior you observe the same?
I have a feeling we will have to understand your setup more in depth. One way to do this is to get a configuration backup from the system. I will open a support case and request such a backup as I don’t think the kind of files are suited for a public forum.
@Bo Ellegård Andersen (Milestone Systems) We have now verified the behavior on four different installations (dev, test and two production installations). The workaround with the Access Control feature will suffice for now. I got the support case number and will reach out to you again when I’m back from summer vacation in August.
@Bo Ellegård Andersen (Milestone Systems) I’m now back from vacation and have conducted some more tests. If I create an analytics event by clicking “Test Event” in Management Client the role require only View permission in the Alarms feature for the event to be visible in Smart Client. However the events created by calling AlarmServceToken will be hidden until Use access control permission is granted to the Access Control feature. If I remove View permission in the Alarms feature events from both Management Client and AlarmServiceToken are hidden.
The following minimum role permissions works in my tests:
- Management Server - Connect
- Cameras - Read
- Alarms - View
- Access Control - Use access control
I have tested both a Windows User and a Basic User connected to this role with the same result.
Testing different role permissions to understand this problem is also quite challenging since any changes are not effective immediately. I must restart the Event Server between changes.
Also, the support case you opened is not possible for me to see. I get the message “Sorry, but you don’t have access to Case View, which is only available for CARE Plus and CARE Premium members”.
The Support cases are only for partners, I must have mistakenly assumed you were a partner. If you are interested maybe look at -https://www.milestonesys.com/partners/become-a-partner/technology-partner-program/
I am unable to reproduce, but I realize that there is no sample that triggers analytics events using the AlarmServiceToken, please share your solution with me so that I can attempt to reproduce. (I cannot reproduce using any of the samples that triggers analytics events (TriggerAnalyticsEventXML/AnalyticsEventTriggerViaLibrary/LibraryEventGenerator)).
It turns out that this is a known issue. There is no fix at this point in time but there is an easy workaround. The buggy behaviour happens if the Type is null. The workaround is to set the Type in the EventHeader. You can set it to any value, even string.Empty, as long as it is not null the bug is avoided.