Web Page Crashes When Editing Model Permissions

Question

SQL Server 2017 MDS ... seems to be OK for some users but not others.  This crash occurs for all users that are in the Local Administrators group of the Server where SQLServer is installed.  I have not seen this crash for users that are not in the Local Administrators Group.  What could be wrong?

User and Group Permissions -> Edit Selected User -> Click Models Tab

[ArgumentOutOfRangeException: startIndex cannot be larger than length of string.
Parameter name: startIndex]
   System.String.Substring(Int32 startIndex, Int32 length) +14767352
   System.Linq.<>c__DisplayClass7_0`3.<CombineSelectors>b__0(TSource x) +23
   System.Linq.WhereSelectArrayIterator`2.MoveNext() +78
   System.Linq.Buffer`1..ctor(IEnumerable`1 source) +152
   System.Linq.Enumerable.ToArray(IEnumerable`1 source) +91
   Microsoft.MasterDataServices.Core.BusinessLogic.Security.ToModelPrivileges(DataTable table, ResultType resultType) +1638
   Microsoft.MasterDataServices.Core.BusinessLogic.Security.GetModelPrivilege(RequestContext context, Int32 principalId, SecurityResolutionType resolutionType, PrincipalType principalType, ResultType resultType, Collection`1 results) +213
   Microsoft.MasterDataServices.Core.BusinessLogic.Security.PopulateModelPrivilege(RequestContext context, Collection`1 users, SecurityResolutionType resolutionType, ResultType resultType) +325
   Microsoft.MasterDataServices.Core.BusinessLogic.Security.GetUserSecurity(RequestContext context, SecurityPrincipalsCriteria criteria, OperationResult results, Boolean pruneDenies) +751
   Microsoft.MasterDataServices.Core.BusinessLogic.Security.GetSecurityPrincipal(RequestContext context, SecurityPrincipalsCriteria criteria, SecurityPrincipals principal) +482
   Microsoft.MasterDataServices.Services.Service.SecurityPrincipalsGet(SecurityPrincipalsGetRequest request) +149
   Microsoft.MasterDataServices.WebUI.ServiceAdapter.ExecuteRequest(MdmServiceOperation`2 operation, TRequestType request, String caller) +159
   Microsoft.MasterDataServices.WebUI.ServiceAdapter.GetModelPrivileges(Guid principalId, PrincipalType principalType, SecurityResolutionType resolutionType) +421
   Microsoft.MasterDataServices.WebUI.ServiceAdapter.CacheModelPrivileges(Guid principalId, PrincipalType principalType, SecurityResolutionType resolutionType) +109
   Microsoft.MasterDataServices.WebUI.ServiceAdapter.GetModelPrivilegesFromCache(Guid principalId, PrincipalType principalType, SecurityResolutionType resolutionType) +149
   Microsoft.MasterDataServices.WebUI.Common.ModelTreeview.GetModelPermissions(SecurityResolutionType resolutionType) +291
   Microsoft.MasterDataServices.WebUI.Common.ModelTreeview.LoadTree(Node parentNode) +344
   Microsoft.MasterDataServices.WebUI.Common.ModelTreeview.LoadData() +442
   Microsoft.MasterDataServices.WebUI.Common.ModelTreeview.LoadData(String principalId, PrincipalType principalType, DisplayModeType displayMode, Int32 modelId) +158
   Microsoft.MasterDataServices.WebUI.Security.Common.Models.LoadTree() +280
   Microsoft.MasterDataServices.WebUI.Security.Common.Models.LoadData() +16
   Microsoft.MasterDataServices.WebUI.Security.Common.SecurityEditPageBase.OnLoad(EventArgs e) +222
   Microsoft.MasterDataServices.WebUI.Security.Common.Models.OnLoad(EventArgs e) +27
   System.Web.UI.Control.LoadRecursive() +68
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3785
 

Answer 1

Hi,

I have the same issue.

Any solution/explanation meanwhile?

Thanks

  Christoph

Answer 2

OK, found the problem for my case (and yes it's a bug):

Looks as if access to attribute groups is maintained in tblSecurityRoleAccess too.
The crash happens after the execution of mdm.udpSecurityPrivilegesSummaryGet
It was user specific, in my case:
exec mdm.udpSecurityPrivilegesSummaryGet @SystemUser_ID=48,@Principal_ID=3,@PrincipalType_ID=1,@ResolutionType=0

Execution in SSMS gave some lines with Securable_Name NULL.
Using Securable_ID I could find corresponding lines in tblSecurityRoleAccess, all with Object_ID =5 ("Attribute Group"). Deleting those lines (OK, I did a backup before ...) fixed the problem.

It looks (that's the bug) as if the entries in tblSecurityRoleAccess are not deleted when the Attribute Group is deleted/changed etc.

Best

Christoph

Answer 3

Thanks Christoph Seck!  I can confirm that your approach worked.

You can confirm that there are no AttributeGroup values using this:  [Object_ID]=5

           SELECT MUID,* FROM mdm.tblAttributeGroup ;

And you can confirm missing security connections using this view:

-- view tells you if any problems
select * from [mdm].[viw_SYSTEM_SECURITY_ROLE_ACCESSCONTROL]  as ssra
where ssra.Securable_MUID is null or ssra.Securable_Name is null