PRB: MTS and COM+ Roles Are Not Applied Immediately (326818)


The information in this article applies to:

  • Microsoft Transaction Server 2.0
  • Microsoft COM+ 1.0
This article was previously published under Q326818

SYMPTOMS

When you make changes to the accounts that have access to packages, components, or methods, the updates are not applied immediately.

CAUSE

When a component is loaded and one of its methods is called, it stores in memory a list of the Security Identifiers (SIDs) that make up the role membership. For performance reasons, this list is updated only at regular intervals. When you request a method, the user's SID list is compared with the component's SID list for access permissions.

RESOLUTION

You can modify the role membership of package or application by using Microsoft Transaction Server Explorer or Component Services snap-in or by using computer management.

Use Microsoft Transaction Server Explorer

To modify the role membership of a package, you must shut down and restart the application. You can do this manually or by using Microsoft Transaction Server Explorer or the Component Services snap-in. Modification only takes effect when the component no longer has active objects.
  • Manually shut down and restart the application:
    1. Right-click the application, and then click Shut Down .
    2. Right-click the application, and then click Start.
  • Use COM+ to shut down the application:
    1. Right-click the application, and then click Properties.
    2. In the Properties dialog box, click the Advanced tab.
    3. In the Server Process Shutdown section, select Minutes until idle shutdown.
    4. In the text box, type the time. The application is shut down only when it has been idle for the specified time. For example, when you specify five minutes in the text box, the application must be in the idle state for five minutes, or the changes do not take effect.

Use Computer Management

You can modify the domain or local group membership of the user account by using any one of the following:
  • Computer Management (Microsoft Windows 2000)
  • Active Directory Users and Computers (Windows 2000)
  • User Manager (Microsoft Windows NT 4.0)
For the modifications to take effect, you must log off the computer. When you log on to the computer, a new SID list is generated.

STATUS

This behavior is by design.

MORE INFORMATION

Steps to Reproduce the Behavior

Note The COM+ application must be a server application.
  1. Add a role to an application:
    1. Open Administrative Tools, and then double-click Component Services to open the COM+ application with Component Services.
    2. In the application, right-click the Roles folder, point to New, and then click Role.
    3. In the Role dialog box, type the name of the new role in the Please enter a name for the new item text box.
    4. Click OK.
  2. Add a user to a role for an application:
    1. Expand the Roles folder.
    2. Expand the role to which you want to add a user.
    3. Right-click the Users folder, point to New, and then click User.
    4. In the Select Users or Groups dialog box, double-click the user or group in the list.
    5. Click OK.
  3. Provide access to the role:
    1. Right-click the Components folder, and then click Properties.
    2. Click the Security tab.
    3. Click to select the role under Roles explicitly set for selected item(s).
  4. Remove the user from a role or remove access to the role. Note that the user can still access the component because the modifications are not immediately updated.
Modification Type:MajorLast Reviewed:1/26/2004
Keywords:kbprb KB326818 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.