Question

What rights are needed to be able to create roles in the ODX Server to define access


Userlevel 5
Badge +7

 

I am trying to set up access to some tables in the ODX. when I try to add a role and search for an Azure AD user I get the error: 

Service request failed: Code: Authorization_RequestDenied ...
Module: TimeXtender.ODX.Engine
TimeXtender.ODX.Engine.ODXFaultException
   at TimeXtender.ODX.Engine.ODXEngine.SendServiceRequest[C,T](WcfServerSettings serverSettings, Func`3 func)
   at TimeXtender.DataManager.AddODXSecurityRoleWizard_MemberSelectStep.<>c__DisplayClass11_0.<SearchClicked>b__0()
   at TimeXtender.DataManager.ConnectingThread.ExecuteConnectingThread(Object dummy)

Service request failed: Code: Authorization_RequestDenied ...
Module: timeXtender
TXModelInterface.ExceptionWrapperException
   at TimeXtender.DataManager.ConnectingThread.HandleError()
   at TimeXtender.DataManager.ConnectingThread.Execute(String title, Int32 progressSteps, List`1 actions)
   at TimeXtender.DataManager.AddODXSecurityRoleWizard_MemberSelectStep.SearchClicked(Object sender, EventArgs e)
 

This setup is a VM in Azure with ODX storage in ADLS. The Storage Account App Registration is owner of the storage account. Is a role like User Access Administrator on the App Registration enough, or are other rights involved?


10 replies

Userlevel 5
Badge +5

Hi @rory.smith 

Based on previous tickets, it seems that you need to setup the following Graph API permissions for the app registration. Please note that these require admin consent. It can also take a while before these take effect.

 

Userlevel 5
Badge +7

Hi @Christian Hauggaard ,

 

thanks - I will check based on this and let you know.

Userlevel 5
Badge +7

I have added exactly those rights, with the difference that I have granted the admin consent and waited, but still the same error.

Userlevel 5
Badge +5

Hi @rory.smith 

Sorry for the delay. If you still have the issue I have an suggestion.

The issue happens when you deploy the security rights to the container. I am not sure the rights of the app makes much of a difference.

I seem to remember testing this once. These are my settings in my storage account.

While I am an owner and was before I added the Storage Blob Data Owner right, I still thought I needed to add it.

So maybe see if it works if you add this right for the App.

Userlevel 5
Badge +7

Hi @Thomas Lind ,

my app registration is both storage blob owner and contributor so that isn't enough either. Could it be that this happens because this VM is not domain-joined and the ODX Server service is running as a local account?

Userlevel 5
Badge +5

Hi @rory.smith 

I tried to remove all rights on an app, so it only got the default.

I got these rights on mine.

 

Userlevel 5
Badge +5

Hi @rory.smith 

Could you please try to join the VM to the domain and see if this resolves the issue?

Userlevel 5
Badge +7

Hi Christian,

 

the point of this server is that it is not part of our domain but lives in an isolated network. It looks like instead of querying Azure through an App registration, it asks through the VM.

Userlevel 5
Badge +5

Hi @rory.smith can you please send a screenshot of your current API permissions for your app registration?

Userlevel 5
Badge +7

Hi Christian,

 

currently:

 

Reply