Author Topic: v16.1 - Can't login as admin  (Read 443 times)

Paolo F Cantoni

  • EA Guru
  • *****
  • Posts: 8372
  • Karma: +240/-129
  • Inconsistently correct systems DON'T EXIST!
    • View Profile
v16.1 - Can't login as admin
« on: November 25, 2022, 04:37:00 pm »
When you change the password of a local account in a repository, EA updated t_secuser and posts an entry in t_xref.  We changed the admin password - the ONLY local entry; the rest are AD imports.  And we can't log in as admin!

Everything appears OK, apart from the observation that the t_xref value is placed in the supplier field rather than the more usual description field.  What could be causing the problem?  Is there some "secret sauce"?

NOTE: This affects both 32-bit and 64-bit (and v15.2)

Reported,
Paolo
« Last Edit: November 25, 2022, 04:39:58 pm by Paolo F Cantoni »
Inconsistently correct systems DON'T EXIST!
... Therefore, aim for consistency; in the expectation of achieving correctness....
-Semantica-
Helsinki Principle Rules!

Modesto Vega

  • EA User
  • **
  • Posts: 916
  • Karma: +26/-8
    • View Profile
Re: v16.1 - Can't login as admin
« Reply #1 on: November 25, 2022, 09:24:20 pm »
Looks like it could be a nasty bug. The fact that it is still not possible to map the repository admin account to an AD account or group is beyond me. The same applies to PCS by the way.

Geert Bellekens

  • EA Guru
  • *****
  • Posts: 12258
  • Karma: +484/-33
  • Make EA work for YOU!
    • View Profile
    • Enterprise Architect Consultant and Value Added Reseller
Re: v16.1 - Can't login as admin
« Reply #2 on: November 25, 2022, 09:39:32 pm »
The fact that it is still not possible to map the repository admin account to an AD account or group is beyond me. The same applies to PCS by the way.
I think that's a good thing.

In case the connection to AD fails for some reason, you still have a way to get into the model with the admin account.

We have an admin group, that has all the rights, and is linked to an AD group. The admin account is simply an emergency backdoor.

Geert

Paolo F Cantoni

  • EA Guru
  • *****
  • Posts: 8372
  • Karma: +240/-129
  • Inconsistently correct systems DON'T EXIST!
    • View Profile
Re: v16.1 - Can't login as admin
« Reply #3 on: November 26, 2022, 01:43:22 am »
Is anyone prepared to confirm the behaviour?  I suspect that the admin account won't work even if you haven't changed the password.

Paolo
Inconsistently correct systems DON'T EXIST!
... Therefore, aim for consistency; in the expectation of achieving correctness....
-Semantica-
Helsinki Principle Rules!

Geert Bellekens

  • EA Guru
  • *****
  • Posts: 12258
  • Karma: +484/-33
  • Make EA work for YOU!
    • View Profile
    • Enterprise Architect Consultant and Value Added Reseller
Re: v16.1 - Can't login as admin
« Reply #4 on: November 26, 2022, 01:51:44 am »
Is anyone prepared to confirm the behaviour?  I suspect that the admin account won't work even if you haven't changed the password.

Paolo
Just did a quick test with version 16.1.1622 on a .qea model.
I could change the password of the admin user without any problem (and I could change it back the the original password again as well)

Geert

Eve

  • EA Administrator
  • EA Guru
  • *****
  • Posts: 7829
  • Karma: +107/-20
    • View Profile
Re: v16.1 - Can't login as admin
« Reply #5 on: November 28, 2022, 09:18:25 am »
The fact that it is still not possible to map the repository admin account to an AD account or group is beyond me. The same applies to PCS by the way.
I think that's a good thing.

In case the connection to AD fails for some reason, you still have a way to get into the model with the admin account.

We have an admin group, that has all the rights, and is linked to an AD group. The admin account is simply an emergency backdoor.

Geert
Exactly. You can still associate a given AD group with the Administrators group (or any the you've given permissions to) and have admin rights in an AD login. There needs to be a way to get into the model if something goes wrong with the AD logins.
Eve

support@sparxsystems.com

Paolo F Cantoni

  • EA Guru
  • *****
  • Posts: 8372
  • Karma: +240/-129
  • Inconsistently correct systems DON'T EXIST!
    • View Profile
Re: v16.1 - Can't login as admin
« Reply #6 on: November 28, 2022, 02:18:26 pm »
Is anyone prepared to confirm the behaviour?  I suspect that the admin account won't work even if you haven't changed the password.

Paolo
Just did a quick test with version 16.1.1622 on a .qea model.
I could change the password of the admin user without any problem (and I could change it back to the original password again as well)

Geert
Thanks, but any chance you could try it on a SQL Server model?  We don;t use .qea (or .qeax) models yet, and the problem occurs on our main SQL Server repository and the .eapx snapshots we take of it.


Paolo
Inconsistently correct systems DON'T EXIST!
... Therefore, aim for consistency; in the expectation of achieving correctness....
-Semantica-
Helsinki Principle Rules!

Geert Bellekens

  • EA Guru
  • *****
  • Posts: 12258
  • Karma: +484/-33
  • Make EA work for YOU!
    • View Profile
    • Enterprise Architect Consultant and Value Added Reseller
Re: v16.1 - Can't login as admin
« Reply #7 on: November 28, 2022, 06:55:04 pm »
Same thing on SQL Server. Works as expected, without issues.

Geert

Modesto Vega

  • EA User
  • **
  • Posts: 916
  • Karma: +26/-8
    • View Profile
Re: v16.1 - Can't login as admin
« Reply #8 on: November 28, 2022, 08:44:53 pm »
The fact that it is still not possible to map the repository admin account to an AD account or group is beyond me. The same applies to PCS by the way.
I think that's a good thing.

In case the connection to AD fails for some reason, you still have a way to get into the model with the admin account.

We have an admin group, that has all the rights, and is linked to an AD group. The admin account is simply an emergency backdoor.

Geert
Exactly. You can still associate a given AD group with the Administrators group (or any the you've given permissions to) and have admin rights in an AD login. There needs to be a way to get into the model if something goes wrong with the AD logins.
Not sure "emergency backdoor" are 2 words anybody working on cybersecurity wants to hear. In my opinion, it should be possible to disable the admin account. Also, since this is not an AD or OpenID account, it could be confusing to have the same Global options for this and other Sparx accounts.

Geert Bellekens

  • EA Guru
  • *****
  • Posts: 12258
  • Karma: +484/-33
  • Make EA work for YOU!
    • View Profile
    • Enterprise Architect Consultant and Value Added Reseller
Re: v16.1 - Can't login as admin
« Reply #9 on: November 28, 2022, 09:20:28 pm »
Not sure "emergency backdoor" are 2 words anybody working on cybersecurity wants to hear. In my opinion, it should be possible to disable the admin account. Also, since this is not an AD or OpenID account, it could be confusing to have the same Global options for this and other Sparx accounts.
Indeed, but on the other hand you could ask yourself, what are you really protecting here.

If you don't want anyone other than a certain AD group to be able to access the model, you can protect your database and/or PCS.

So it's only if you already have access to the database that we can access the model as admin.
Usually there are no real secrets in the model for users that have access anyway; and if they are real savvy, they can "hack" themselves in anyway once they have database access.

So it's more of a convenience backdoor than anything else.

I don't consider EA's internal user management as "security". It's unfortunately named that way, but it's more like "user management".
It doesn't really provide any real security. It merely protects us from accidents (e.g. users changing things they shouldn't have)

Geert



Paolo F Cantoni

  • EA Guru
  • *****
  • Posts: 8372
  • Karma: +240/-129
  • Inconsistently correct systems DON'T EXIST!
    • View Profile
Re: v16.1 - Can't login as admin
« Reply #10 on: November 28, 2022, 10:00:11 pm »
Same thing on SQL Server. Works as expected, without issues.

Geert
Thanks,

Looks like I'll have to look deeper...

Paolo
Inconsistently correct systems DON'T EXIST!
... Therefore, aim for consistency; in the expectation of achieving correctness....
-Semantica-
Helsinki Principle Rules!