How to resolve the error received during login to Orchestrator : You don’t have permissions to access Orchestrator in this tenant. Contact your administrator to request access. (#214) ?
Issue Description : At login to Orchestrator, error is returned " You don’t have permissions to access Orchestrator in this tenant. Contact your administrator to request access. (#214) "
Root Cause : This happens when a user tries to access a tenant that it does not have access to but that it does have an account on. Causes could be:
- Tenant was recently deleted and re-created but cleanup has not completed.
- The user does not have the web login permission but has an account for that tenant.
- This can happen after upgrading to 20.10+ and using Windows Integrated Authentication for access.
Diagnosing / Resolving
- Check to see if the user account has the web login permission.
- Read more on the User Details
- In the user page, select the user->edit and in the 'User Details' page, check if 'Allow Web Login' is checked.
- If it is not, enable it.
- Check the event viewer logs of Orchestrator
- eventvwr->Application (we have KBs for how to check the event viewer logs)
- Look for errors from the Orchestrator source around the time the issue occurred.
- Check to see if something like the following is present
- Cannot create external login for S-1-5-XXXXXXXXXXXXXXXXXUiPath.Orchestrator.Core.Exceptions.BusinessConflictException: Error code - 1028, Message - 'Email 'XXXXXXXX' is already taken.' at async Task UiPath.Orchestrator.Application.Users.UserService.CreateAsync(UserDto input, UserCreateContext context) at async Task Abp.Domain.Uow.UnitOfWorkInterceptor.InternalInterceptAsynchronous(IInvocation invocation) at async Task Abp.Domain.Uow.UnitOfWorkInterceptor.InternalInterceptAsynchronous(IInvocation invocation) at async Task Abp.Runtime.Validation.Interception.ValidationInterceptor.InternalInterceptAsynchronous(IInvocation invocation) at async Task UiPath.Orchestrator.Application.Provisioning.DirectoryProvisioner.ProvisionUserAsync(DirectoryUserDto directoryUser) at async Task UiPath.Orchestrator.Application.Provisioning.DirectoryProvisioner.LoginUserAsync(string domain, string identifier) at async Task UiPath.Orchestrator.Security.Auth.Common.UserMapping.DirectoryUserMapper.MapLoginAsync(string domain, string identifier, string tenancyName)
- If the above is present, it means that the User exists as a local user in Orchestrator. This can be checked by looking at the User in Orchestrator. If a user is a directory user, there user name will look like: userName@ (i.e. robot@uipath)
- The error is thrown because Orchestrator thinks it has to create the user and fails, resulting in the login error.
- To fix this, see Converting Local AD Users into Directory Users
-
If the tenant was recently deleted try doing an IISReset as an Admin from the command line (cmd->iisreset). Alternatively, wait sometime. After a certain period a quartz cron job will clean up the tenant.