Forum Discussion

adykes's avatar
adykes
New Contributor III
6 months ago

Data Access Security & App Server Issues

Note: this post is a follow-up from a post I made previously: https://community.onestreamsoftware.com/t5/Application-Build/Member-List-Business-Rule-in-Data-Access-Security/m-p/34916#M3533

Hi all, 

Previously, I had asked about some details surrounding the running of a MemberList BR in a Data Access security filter; specifically, when the data access security runs (answer: every 24 hours unless IIS is reset) and if there's a way to force a re-run (answer: resetting IIS). After doing more work on this, we noticed that it looks like the data access security is applied on an app server-by-app server basis, and the app server that's used to handle the security is based on the app server that handles the user's log in. For example, if my log in action is handled by AppServer1, the data access security that's applied to my session is determined by the security that's currently applied in AppServer1. So it's therefore possible that one user, their logging-in being handled by AppServer1 (which in this example is currently up-to-date), could have a different data access security applied than another user whose login is handled by AppServer2 (which is not up-to-date) until the data access security on AppServer2 is re-run.

Additionally, we haven't been able to use an IIS reset to re-run the data access security. We've tried resetting IIS in both the main app server and the specific app server that handles the user's login to no avail. There seems to be some sort of amount of time that has to pass in order for the data access security to run again, but sometimes this isn't even kicked off by the user attempting to access data - the actual security has to be changed and then saved and then reverted to kick off the re-run.

My questions are therefore:

1. Is this observation of the data access security being tied to the app server that handles the user's login actually correct? Or am I missing something?

2. Does the "Recycle App Pool" button in the environment page equate to requesting an IIS reset in the OneStream ServiceNow catalog?

Thanks in advance!

Security
  • Henning's avatar
    Henning
    Valued Contributor II
    6 months ago

    Hi, 

    Unfortunately, I do not have a multi-server instance to test this. This also explains why resetting IIS on my single server always works ( ğŸ˜‰ ).

    But yes, I would strongly assume that you need to restart all relevant servers in order for your new memberlist in your cube data access security is in place. As you say, otherwise a server that has not been restarted can still work with the previous security setting in place.

    Yes, Recycle App Pool is restarting IIS, which is what the support team does as well (though they restart all I believe, while Recycle App Pool only restarts a server at a time).

     

    What do you need this to restart for? Only for developing as per the other post, or do you seek to restart this during the closing process as part of a more dynamic security / data access requirement? Restarting IIS during development seems reasonable, while relying on this for a closing process seems possibly not in line with a process auditors require (IMHO).