Viewers of OrgChart receive Access Denied

I’m implementing an OrgChart utilizing SharePoint User Profiles and can see everything AOK, however when I have a normal user try to view (new web part page w/ Plumsail OrgChart as the only part on the page) they get prompted for credentials and receive an access denied. In looking at the details of the ULS logs I see this:

System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace: at Microsoft.SharePoint.SPWeb.InitWeb() at Microsoft.SharePoint.SPWeb.get_EnableMinimalDownload() at Microsoft.SharePoint.Utilities.SPUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String queryString) at Microsoft.SharePoint.Utilities.SPUtility.RedirectToAccessDeniedPage(HttpContext context) at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context) at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex) at Microsoft.SharePoint.Library.SPRequest.OpenWeb(String bstrUrl, String& pbstrServerRelativeUrl, String& pbstrTitle, String& pbstrDescription, String& pbstrTitleResourceId, String& pbstrDescriptionResourceId, Guid& pguidID, DateTime& pdtTimeCreated, String& pbstrRequestAccessEmail, UInt32& pwebVersion, Guid& pguidScopeId, UInt32& pnAuthorID, UInt32& pnLanguage, UInt32& pnLocale, UInt16& pnTimeZone, Boolean& bTime24, Int16& pnCollation, UInt32& pnCollationLCID, Int16& pnCalendarType, Int16& pnAdjustHijriDays, Int16& pnAltCalendarType, Boolean& pbShowWeeks, Int16& pnFirstWeekOfYear, UInt32& pnFirstDayOfWeek, Int16& pnWorkDays, Int16& pnWorkDayStartHour, Int16& pnWorkDayEndHour, Int16& pnMeetingCount, Int32& plFlags, Boolean& bConnectedToPortal, String& pbstrPortalUrl, String& pbstrPortalName, Int32& plWebTemplateId, Int16& pnProvisionConfig, String& pbstrDefaultTheme, String& pbstrDefaultThemeCSSUrl, String& pbstrThemedCssFolderUrl, String& pbstrAlternateCSSUrl, String& pbstrCustomizedCssFileList, String& pbstrCustomJSUrl, String& pbstrAlternateHeaderUrl, String& pbstrMasterUrl, String& pbstrCustomMasterUrl, String& pbstrSiteLogoUrl, String& pbstrSiteLogoDescription, Object& pvarUser, Boolean& pvarIsAuditor, UInt64& ppermMask, Boolean& bUserIsSiteAdmin, Boolean& bHasUniquePerm, Guid& pguidUserInfoListID, Guid& pguidUniqueNavParent, Int32& plSiteFlags, DateTime& pdtLastContentChange, DateTime& pdtLastSecurityChange, String& pbstrWelcomePage, Boolean& pbOverwriteMUICultures, Boolean& pbMUIEnabled, String& pbstrAlternateMUICultures, Int32& plSiteSchemaMajorVersion, Int32& plSiteSchemaMinorVersion, Int32& plSiteSchemaBuildVersion, Int32& plSiteSchemaRevisionVersion, Int32& puiVersion, Int16& pnClientTag, Boolean& pfIsEvalSite, Guid& pgSourceSiteId, DateTime& pdtExpirationDate, Guid& pgEvalSiteId, Guid& pguidAppProductId, String& pbstrRemoteAppUrl, String& pbstrOAuthAppId, String& pbstrAppDatabaseName, Guid& pgAppDatabaseServerReferenceId, String& pbstrAppDatabaseTargetApplicationId, String& pbstrAppWebDomainId, Int32& plUpgradeFlags, DateTime& pdtReminderDate, UInt64& pmaskDeny) at Microsoft.SharePoint.SPWeb.InitWeb() at Microsoft.SharePoint.SPWeb.get_RegionalSettings() at Microsoft.Office.Server.SiteContext.GetCollation(UserProfileApplicationProxy userProfileApplicationProxy) at Microsoft.Office.Server.UserProfiles.UserProfile.LoadOrganizationalUsers() at Microsoft.Office.Server.UserProfiles.UserProfile.GetDirectReports() at ›‹††‡— ‹“—šŽ‡œ˜˜ˆ.‰›™’‡ Šš’’‹–‹‘†.› •™’‘ˆ(UserProfile ) at ›‹††‡— ‹“—šŽ‡œ˜˜ˆ.‰›™’‡ Šš’’‹–‹‘†.‹‘ †›‹††(String ) at Plumsail.OrgChart.Service.OrgChartService.GetUserProfileGroupItemDataById(String id, String idFieldInternalName, String parentIdFieldInternalName) at SyncInvokeGetUserProfileGroupItemDataById(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet) at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext) at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext) at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result) at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result) at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously) at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item) at System.Runtime.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread) at System.Runtime.InputQueue`1.EnqueueAndDispatch(T item, Action dequeuedCallback, Boolean canDispatchOnThisThread) at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, Action dequeuedCallback, Boolean canDispatchOnThisThread) at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.CompleteParseAndEnqueue(IAsyncResult result) at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.HandleParseIncomingMessage(IAsyncResult result) at System.Runtime.AsyncResult.SyncContinue(IAsyncResult result) at System.ServiceModel.Channels.HttpPipeline.EmptyHttpPipeline.BeginProcessInboundRequest(ReplyChannelAcceptor replyChannelAcceptor, Action dequeuedCallback, AsyncCallback callback, Object state) at System.ServiceModel.Channels.HttpChannelListener`1.HttpContextReceivedAsyncResult`1.ProcessHttpContextAsync() at System.ServiceModel.Channels.HttpChannelListener`1.BeginHttpContextReceived(HttpRequestContext context, Action acceptorCallback, AsyncCallback callback, Object state) at System.ServiceModel.Activation.HostedHttpTransportManager.HttpContextReceived(HostedHttpRequestAsyncResult result) at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest() at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest() at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(Object state) at System.ServiceModel.AspNetPartialTrustHelpers.PartialTrustInvoke(ContextCallback callback, Object state) at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequestWithFlow(Object state) at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped) at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)

Is there a specific permission level on the page as well as the User Profile Service / Proxy that must be given to everyone in order for this to function correctly?

Thanks!

Any thoughts?

Hi, I would look at the SQL logs. In general if you get an Access denied there which ripples down to SharePoint it is much more explicit in its reporting information. The other place to look is the ULS logs (I am assuming that this is a Windows event log item)

After lots of digging, I’m able to narrow it down to the “Use Remote Interfaces” permission. The interesting part is that if that permission is allowed to a user within the site collection it still prompts for credentials and errors an “Access Denied”. If I go to the web application and create a web application scoped group that provides the “Use Remote Interfaces” rights (which also requires “Open” rights to be granted) it then allows the end user to load the org chart correctly.

Any ideas why the site-scoped rights for use remote interfaces aren’t respected?

We use claims-based authentication on our on-premise environment vs. the legacy NTML authentication if that makes a difference.

Thanks,
Brian

In recent versions, we changed the method of loading profiles. You could try to install the latest version of the application and check if the problem persists. Please inform us of the results.

Best regards
Evgeniy Kovalev
Plumsail Team

After some further digging, it looks like the OrgChart makes a web service call however it scopes that call to the web application root and not the site collection (or web) root. This chart in question was in a site collection, (i.e. /sites/humanresourcesandotherorganizationalthings/) so the users did not currently have permission to the root site collection on the web application (i.e. / ). Once that permission was granted everything worked.

Hi Brian,

Thank you for sharing results of your research. We located the service calls you mentioned and will fix it in the next release of the Org Chart.

We really appreciate your help in improving our product!

Best regards
Anton Khritonenkov
Plumsail Team

This has been fixed in the last version of Org Chart.