locked
"It is not valid for the current user to remove the administration permission from themselves." RRS feed

  • Question

  • Dear everyone, 

    I facing with the problem that normal user (not have security admin permission) can't remove his role or another user role by code. Normal user should have the 'Security Administration' permission if he want to work with SecurityData. But I just can add this role to user ,and  canNOT remove it. You get this error: "It is not valid for the current user to remove the administration permission from themselves.".

    This is my code:

    partial void UserPositions_Updated(UserPosition entity) { if (entity.QuitJob == true) { using(Application.Current.User.AddPermissions(Permissions.SecurityAdministration))

    { var ra = this.DataWorkspace.SecurityData.RoleAssignments_SingleOrDefault(entity.User.IDCard, entity.Position.PositionName); if (ra != null) ra.Delete(); this.DataWorkspace.SecurityData.SaveChanges(); };

    } }


    Is there anyone can help me, please?

    Friday, March 28, 2014 4:38 PM

Answers

  • I'm using 2013 and even in a deployed app, it all works.

    Same scenario: UserX (not having sec.admin) removed roleA from userY by means of permission elevation.

    So, upgrading to 2013 seems to be solution :)


    paul van bladel

    • Marked as answer by Little_1991 Monday, March 31, 2014 11:50 PM
    Saturday, March 29, 2014 6:37 PM

All replies

  • Cool question !

    Not sure if I understand the whole scenario.

    You are trying to delete a role assignment. Now, are you saying that this delete never works, or only in the case where the role assignment is 

    a) about a role assignment for the currently logged on user +

    b) where the role (among others) contains the security admin permission.

    So, can you delete role assignment for other users than the currently logged on? Can you delete role assignments for roles that do not contain the security admin permission.

    I must say in the case the effectively you get error when you are deleting a role assignment for the currently logged on user and where the role contains the security admin permission, it sounds completely acceptable that this is blocked, and congrats to the the product team for thinking about that scenario.

    Can you test the specific case where you are deleting a role assignement for a role containing security admin and where the user is security admin and run your code without the permission elevation (just put it one time in comment).

    If that would work, you could adapt your code and use the user.Haspermission() for checking if you are working with a user which has security admin and in that case do NOT the permission elevation.

    Mhmm. very exotic case, unless I'm completely misunderstanding the point.


    paul van bladel

    Friday, March 28, 2014 8:24 PM
  • Hello Paul, 

    I means in this case:

    - If the user have the security admin role, he can delete the selected user's role assignment (just the job's position role, which not has the security administration permission in role) with this code. 

    - But if the user doesn't have security admin permission (he just a human resources manager), he can't delete his (or his employees) role when they quit the job. I wrote the code that if someone quit the job, the HR manager need to check the checkbox "Quit Job" to true. And if the HR manager want to delete his (or his employee) role - means he does something effect to the Security Database, he must have the Security Admin permission. That's why I used 

    using(Application.Current.User.AddPermissions(Permissions.SecurityAdministration))

    But when he done his job 

    var ra = this.DataWorkspace.SecurityData.RoleAssignments_SingleOrDefault(entity.User.IDCard, entity.Position.PositionName);
                            if (ra != null) 
                                ra.Delete();
                            this.DataWorkspace.SecurityData.SaveChanges();

    he could NOT remove the Security Admin permission. The server gives an error:

    It is not valid for the current user to remove the administration permission from themselves.

    Before that, I have used the code to create new people registration, but it all run well. People, who not have security permission can add new user to Security Data and can remove the SecurityAdministration permission when they done the job. 

    using (Application.Current.User.AddPermissions(Permissions.SecurityAdministration))
                        {
                            var newUser = this.DataWorkspace.SecurityData.UserRegistrations.AddNew();
                            newUser.UserName = entity.IdCard;
                            newUser.FullName = entity.FullName;
                            newUser.Password = entity.Birthday.ToString("ddMMyyyy");
                            this.DataWorkspace.SecurityData.SaveChanges();
                        };
    NOTE: I just let the HR Manager remove his employee's job position role in the company, which not contains SecurityAdministration permission in role.
    • Edited by Little_1991 Saturday, March 29, 2014 1:37 PM
    Saturday, March 29, 2014 1:30 PM
  • Ok, I see.

    But, are you aware of the fact that the AddPermissions extension method does not really add the permission in the database, it's just a temporary permission elevation for the current user.

    The sole fact that you use this method (as you are doing correctly) inside a using statement, will automatically remove that permission for the current user. So, there is no reason at all to try to remove it from the database. 

    Does this make sense for you?


    paul van bladel

    Saturday, March 29, 2014 2:06 PM
  • I know that it's just the temporary permission. But what I want is removing the employee's job position role (ex: Employee role), I dont want to take any effect to Security Administration permission. But I need to use it for people (not have SecurityAdmin permission) to remove role assignment. And now, It have this error, so the Job position role in role assignment can not be deleted , so I don't know how to write code for people to remove the role assignment????

    Is there another way for people (who doesn't have security administration permission) to remove his/ another people role assignment?


    • Edited by Little_1991 Saturday, March 29, 2014 2:54 PM
    Saturday, March 29, 2014 2:54 PM
  • I can't reproduce this.

    I'm logged in with "testuser" (in debug) and don't have security admin.

    I created before another user user1 with roleA.

    I can perfectly remove RoleA from user1, with the permission elevation mechanism.

    Which version of LS are you using. Do you have the problem only in a deployed app, or also in debug?


    paul van bladel

    Saturday, March 29, 2014 3:13 PM
  • I am using LS 2012 Update 3.

    And this problem only occured in deployed app; in dedug, it didn't happen

    Saturday, March 29, 2014 4:23 PM
  • I'm using 2013 and even in a deployed app, it all works.

    Same scenario: UserX (not having sec.admin) removed roleA from userY by means of permission elevation.

    So, upgrading to 2013 seems to be solution :)


    paul van bladel

    • Marked as answer by Little_1991 Monday, March 31, 2014 11:50 PM
    Saturday, March 29, 2014 6:37 PM
  • Yup, Upgrade project to 2013 is a solution, but I lost some useful extension :(
    Monday, March 31, 2014 11:50 PM