How to replace security action definitions on existing items?

Hi,

we implemented a plugin integration which creates items with security actions attached. After some months we encountered some difficulties and had to replace the old security action definitions with new security actions (completely new SecurityActionIds and SecurityActionDisplayNames).

After updating EventServer and ManagementClient we get the following error message as we try to access the old items in the role category of the management client:

===================================

VMO60325: Could not retrieve information for the security namespace. The namespace does not exist. (VideoOS.Platform)

------------------------------

Programmordner:

at VideoOS.Platform.Proxy.ConfigApi.ConfigurationApiItemWrapper.Children()

at VideoOS.Platform.ConfigurationItems.MIPItemFolder.get_MIPItems()

at VideoOS.Platform.Configuration.GetItemConfigurationsBase(ServerId serverId, Item parentItem, Guid itemKind)

===================================

VMO60325: Could not retrieve information for the security namespace. The namespace does not exist. (mscorlib)

------------------------------

Programmordner:

Server stack trace:

at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)

at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

at VideoOS.ConfigurationApi.ClientService.IConfigurationService.GetChildItems(String path)

at VideoOS.Platform.Proxy.ConfigApi.ConfigurationServiceClientDecorator.<>c__DisplayClass7_0.b__0(ConfigurationServiceClient client)

at VideoOS.Platform.Proxy.ConfigApi.ConfigurationServiceClientDecorator.CallWithRetry[TResult](Func`2 call)

at VideoOS.Platform.Proxy.ConfigApi.ConfigurationServiceClientDecorator.GetChildItems(String path)

at VideoOS.Platform.Proxy.ConfigApi.ConfigurationApiItemWrapper.Children()

I already tried to update the old items by running following lines on each item:

SecurityAccess.UnregisterItem(item);

SecurityAccess.Save();

SecurityAccess.RegisterItem(item);

SecurityAccess.Save();

Afterwards I was abled to access the old items on the role tab and saw the new SecurityActions, but as soon as I tried to configure a SecurityAction my ManagementClient showed following error:

===================================

VMO60021: Could not create the access entry. The object with the ID 67a21386-185f-48df-b6dd-1359d199961b does not exist. (VideoOS.Platform)

------------------------------

Programmordner:

at VideoOS.Platform.Util.Security.SecurityClientXPCO.AddAccessControlEntries(Guid kind, String objectId, AccessControlEntry[] entries)

at VideoOS.Platform.Util.Security.SecurityClientXPCOWrapper.AddAccessControlEntries(Guid namespaceId, String objectId, AccessControlEntry[] entries)

at VideoOS.Platform.Util.SecurityAccess.SetPermittedAction(String identity, Item item, String actionId, Boolean permit)

at VideoOS.Administration.AddIn.PlatformAddIn.UserControlPlatformSecuritySetup.OnAfterCheck(Object sender, TreeViewEventArgs e)

===================================

VMO60021: Could not create the access entry. The object with the ID 67a21386-185f-48df-b6dd-1359d199961b does not exist. (mscorlib)

------------------------------

Programmordner:

Server stack trace:

at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)

at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

at VideoOS.Platform.Util.Security.ISecurityService.AddPermissions(String namespaceId, String objectId, AccessControlEntry[] entries)

at VideoOS.Platform.Util.Security.SecurityClientXPCO.<>c__DisplayClass22_0.b__0(SecurityServiceClient client)

at VideoOS.Platform.Util.Svc.ClientPool`1.CallWithRetry(Action`1 method, Int32 retryCount)

at VideoOS.Platform.Util.Security.SecurityClientXPCO.AddAccessControlEntries(Guid kind, String objectId, AccessControlEntry[] entries)

Strange thing is that if I refresh (F5) the ManagementClient the items again disappear and I get the first error by trying to access the items in the role category.

Is there a certain way to update SecurityActions on existing items or did I miss something?

Thanks in advance!

In the SQL there is stored some Security Action entries ao.

The key should be the plugid for you plugin.

So if you use your id you should be able to find entries like this:

--

declare @id uniqueidentifier

set @id = ‘1111111-2222-4444-aaaa-bbbbbbbbbbbb’

declare @secidOverall uniqueidentifier

declare @secidTab uniqueidentifier

select * from [Surveillance].[dbo].[SecurityNamespace] where namespace_id = @id

select * from [Surveillance].[dbo].[SecurityObject] where namespace_id = @id

select * from [Surveillance].[dbo].[SecurityAction] where namespace_id = @id

set @secidOverall = (select security_object_id from [Surveillance].[dbo].[SecurityObject] where namespace_id = @id and object_id = ‘/’)

set @secidTab = (select security_object_id from [Surveillance].[dbo].[SecurityObject] where namespace_id = @id and object_id = CAST(@id AS NVARCHAR(36)))

select * from [Surveillance].[dbo].[SecurityAccessEntry] where security_object_id = @secidOverall

select * from [Surveillance].[dbo].[SecurityAccessEntry] where security_object_id = @secidTab

--

If you changed the “actions” but not the id you might have a mix of old and new stuff. A way to get out of the squeeze might be to simply start over with a new ID! Another way to attempt to delete the entries read out by the SQL above.

Generally the entries should be created when you start the Management Client with your plugin loaded if they do not already exists.

There is an element of guessing here. If this does not lead you to find a solution you might need to start by explaining what is in the plugin (with source code snippets) and what you find in the tables I have mentioned in the SQL Server db.

Hi Bo,

thanks to your hints we took a closer look at the database and found the following behavior:

1. Our old plugin version defines security actions only on the plugin level. According to this, the SecurityObject table only contains our plugin instance object id
2. Our new plugin version also defines security actions on an intrusion area level. After the update, there is no entry in the SecurityObject table for the intrusion area which had been created with the old version. Also intrusion areas which have been created with the new plugin version are not reflected in the SecurityObject table. Even SecurityAccess.UnregisterItem(), SecurityAccess.RegisterItem(), SecurityAccess.Save() does not create the new SecurityObject

We assume that we have to add code to create the necessary SecurityObjects for MIP-Items which have been created with the old plugin version. How can we achieve this without deleting / re-creating the old item (which would affect plans and rules).

Maybe it’s easier if we show you our problems via remote session.

Best regards,

Andreas (colleague of Simon)

I am sorry but many developers are out of office due to Easter. We will get back to you as soon as possible. Sorry for the inconvenience.

Could you please create a support case so that we can facilitate exchange of more information on the coding you have? - and yes, that would also make it better possible to create a remote debug session and similar.

We are sorry to have kept you waiting…

Hi Bo, just want to follow up if there is any updated way to add or modify the SecurityActions without changing the Id ?

I am sorry but many developers are out of office due to vacation season. We will get back to you as soon as possible. Sorry for the inconvenience.

Milestone developed a little tool that can check and mend Security objects on your items.

http://download.milestonesys.com/MIPSDK/Tools/MIPSecurityCheckup.zip

Download, unpack and run the MIPSecurityCheckup.exe. Login on the XProtect site.

You will see a list box with Available MIP Kinds, on this list your kinds defined by your integration should be listed. If you pick your kind by clicking on it you will in the right hand side see a list Security Actions these kinds implement and in the bottom you will see a list of defined items.

Now you can use the button Check Security Objects. When used the items in the list will turn either red or green. Green means that the security objects are fine but red means they are not fine, they might lack be missing information because security was added later as in the scenario you have described.

If you have items in the list that are not green you can use the Fix Security Objects button. This will fix the missing information.

We have confirmation that the tool works on one site. We would like feedback on the tool if you use it. Your feedback will be appreciated.

Hi Bo,

Does this above tool MIPSecurityCheckup should work with 2025R3? I getting error when connecting to a server.

br,

Piotr

It should work still.

One word of caution which should have been there originally. Please make sure you do a backup of the configuration, use the tool and test, if the test shows any issues with your items then restore the backup configuration.