This is just a blurb that I wanted to publish for my sake (so that I could look it up later) and for anyone else who has to install Alterian Studio who will invariably run into the same problem.
The problem: You want to set up a security group so that certain fields in your database are invisible to certain users. You log onto the management console and set up your group only to find that when you log off of the AMC and start the application, the fields you thought were invisible are still visible. You clearly saw the group created and users assigned to it in the AMC when you were building the group. So what happened?
Here is what happened: When you were logged onto the Alterian Management Console, you were indeed building a security group and assigning users to it. However the issue lies with where you were building that group. You were building it in memory. The AMC does not write to disk until you actually log off of your session. The other piece to this puzzle is what does the writing.
If you remember, back in the heady days of AMS 2.2, there were 3 parts that made up the essence of Alterian: Molecule.exe (the interface), Atom.exe (the distributor), and Nucleus.exe (the engine). Now with AMS 2.5/Engine 4.1 comes some serious performance improvements, and one of the reasons for those improvements is ConnectionBroker.exe, the sort of ‘traffic cop’ for the multi-tenant environment. You’ll also remember that in AMS 2.2/Engine 3.1, you needed to use DCOMCNFG to tell the application what account it needs to run under so that proper rights are given for these executables to access folders, write to disk, use network shares, etc. With ConnectionBroker in the mix, you need to do the same thing, but for ConnectionBroker, this is not done in DCOMCNFG. ConnectionBroker runs as a service, so configuration happens in the Microsoft Management Console under Services. Another catch is that changes are not immediate. When you change a service, you have to stop and then re-start the service for the change to take effect. By default, ConnectionBroker.exe runs under SYSTEM (the Windows SYSTEM account, not Alterian’s administrative account) which often is not given rights to write data willy nilly all over your server. Switching to whatever generic Alterian account you use in DCOM usually solves this problem as that account is 1) not accessed by regular users and 2) is an admin level account (Alterian uses ‘nuclog’, but where I work, we make our own account).
Once ConnectionBroker.exe service is set to run under a different account than the default Windows SYSTEM account, you will see the Security Group issue disappear. Interestingly, this issue does not rear it’s ugly head when creating/editing users themselves.
