OnDemand Users Group

I'm during try update query restriction by arsxml.

USER1 has permission to view application group AG1 but no query restriction configured at first time.
So, I export xml by arsxml export will have output xml something like this:

<onDemand xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <applicationGroup name="AG1" ... >
      <field name ... >
      <permission user="USER1" adminAuthority="true" lvAuthority="true" accessAuthority="true" docViewPerm="true" docAddPerm="true" docUpdatePerm="false" docDeletePerm="true" docPrintPerm="true" docCopyPerm="true" docHoldPerm="true" docCFSODPerm="true" docFTIPerm="true" annotViewPerm="true" annotAddPerm="true" annotDeletePerm="false" annotUpdatePerm="false" annotCopyPerm="true" />
       ....
   </applicationGroup>
</onDemand>

-- Then I have edit to --

<onDemand xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <applicationGroup name="AG1" ... >
      <field name ... >
      <permission user="USER1" adminAuthority="true" lvAuthority="true" accessAuthority="true" docViewPerm="true" docAddPerm="true" docUpdatePerm="false" docDeletePerm="true" docPrintPerm="true" docCopyPerm="true" docHoldPerm="true" docCFSODPerm="true" docFTIPerm="true" annotViewPerm="true" annotAddPerm="true" annotDeletePerm="false" annotUpdatePerm="false" annotCopyPerm="true"  queryRes="br_code = '001'" />
       ....
   </applicationGroup>
</onDemand>

When I execute arsxml command, it's not updated anything in permission:
arsxml  -hlocalhost -uadmin -ppassword -i update_perm.xml  -v -x -ecu

...
ARS7709I Adding applicationGroup-permission, AG1-USER1
ARS7743E A permission object named 'USER1' already exists.
ARS7761I Add of applicationGroup-permission, USER1-USER1 failed.

 -- Then I tried 'task="update"' inside xml tag, still no luck --
      <permission user="USER1" task="update" adminAuthority="true" lvAuthority="true" accessAuthority="true" docViewPerm="true" docAddPerm="true" docUpdatePerm="false" docDeletePerm="true" docPrintPerm="true" docCopyPerm="true" docHoldPerm="true" docCFSODPerm="true" docFTIPerm="true" annotViewPerm="true" annotAddPerm="true" annotDeletePerm="false" annotUpdatePerm="false" annotCopyPerm="true"  queryRes="br_code = '001'" />

But something changed in message ...

ARS7755E The permission object named 'USER1' can not be updated unless the parent object is also being updated.

Can anyone suggest solution to me?

You need to specify the Application Group or User Group that you want to apply that query restriction to.

As a matter of good governance, all permissions should be administered at the Group level, and users added to and removed from Groups in order to grant or restrict or deny access/permissions.

-JD.

Quote from: Justin Derrick on September 03, 2025, 05:19:52 PMYou need to specify the Application Group or User Group that you want to apply that query restriction to.

As a matter of good governance, all permissions should be administered at the Group level, and users added to and removed from Groups in order to grant or restrict or deny access/permissions.

-JD.

Yes, although I specified the group, I still cannot update the query restriction using the arsxml command.

...
  <applicationGroup name="AG1" ... >
     <permission group="GROUP"  ....... queryRes="br_code = '001'" />
...

Ah, yes -- I see what you're doing now. 

Try adding the query restriction to the User/App Group via the Admin GUI, then do another export -- that will show you how CMOD expects a query restriction to appear in the XML -- then you can try to modify a different account.

But as I said before, it's better to assign these permissions at the group level, so it's easier to understand what permissions a user has by simply reviewing the groups they belong to.  It also allows for simplified administration through your Identity and Access Management team -- adding and removing users from groups in Active Directory / LDAP will change their permissions in CMOD if LDAPsync is configured.

-JD.