Issue with creating membership through admin user in DMX 5.2

Since I upgraded my plugin from dmx 5.1 to 5.2 I have trouble with previously working code. The code does the following. In the application there can be an application-wide administration user. For this user to have write privileges everywhere there is a specific function that sets this privilege. The actual implementation takes all possible workspaces that the app-admin needs and creates a membership. This function is itself privileged, of course, and is only supposed to work when logged in as (DMX) admin.

However in DMX 5.2 the membership creation fails because apparently the DMX admin has no write privilege to the workspaces. This may be true but how I am supposed to create this membership then?

The function I am using is AccessControlService.createMemberShip(userName, workspaceId)

UserName is my app-admin, workspace Id is one of the many possible workspaces that exist in the application.

Can you please show me your code (where you call createMembership()), and what the actual error message is.

The intended DMX 5.2 create-membership policy is as follows, and to my knowledge that is what is implemented as well:

  • Interactively in the Webclient: the current user (according to JSESSIONID cookie) must have WRITE permission to the very workspace
  • Programmatically by calling AccessControlService.createMemberShip(): no restrictions apply. Every user can create memberships. (Creating via HTTP API requires to be logged in though.)

See also #455 which, to my knowledge, fixed your original problem.

For testing, user “jri” created a public workspace “Birds” (ID 5052).
User “admin” can invite himselfes via HTTP API, even if – at that moment – he has no WRITE permission to “Birds”:

POST localhost:8080/access-control/user/admin/workspace/5052
Authorization: Basic YWRtaW46

A Membership between “admin” and “Birds” is created properly, and assigned to the “Birds” workspace. YWRtaW46 are admin’s credentials here.
It also works the other way round: user “jri” can join workspaces created by “admin”.

So at the moment I can’t reproduce the problem.
Maybe my knowledge and actual implementation differ.

Taking your example:
For testing, user “jri” created a public workspace “Birds” (ID 5052).
Can user “admin” make user “rsc” a member of “Birds” via AccessControlService.createMembership()?

The code looks like this (kotlin):
val userName = user.childTopics.getString(

        for (workspace in dmx.getTopicsByType(NS.dmx.workspaces.workspace)) {
            if (isWorkspaceIAmInterestedIn(workspace)) {

user is the app-admin user that should get all the privileges. The code runs in a custom transaction and with a session cookie that belongs to “admin” (the DMX administrator).

Good question!
I’ve tried that, and it failed:

Aug 19, 2021 4:41:33 PM systems.dmx.accesscontrol.AccessControlPlugin tryLogin
INFO: ##### Logging in as "admin" => SUCCESSFUL!
Aug 19, 2021 4:41:33 PM systems.dmx.core.util.UniversalExceptionMapper logException
SEVERE: Request "POST /access-control/user/jpn/workspace/5052" failed. Responding with 401 (Unauthorized). The original exception/error is:
java.lang.RuntimeException: Creating membership for user "jpn" and workspace 5052 failed
	at systems.dmx.accesscontrol.AccessControlPlugin.createMembership(
Caused by: java.lang.RuntimeException: Creating assoc of type "dmx.accesscontrol.membership" failed
	at systems.dmx.core.impl.AccessLayer.createAssoc(
	at systems.dmx.core.impl.CoreServiceImpl.createAssoc(
	at systems.dmx.core.impl.CoreServiceImpl.createAssoc(
	at systems.dmx.accesscontrol.AccessControlPlugin.lambda$createMembership$2(
	at systems.dmx.core.impl.PrivilegedAccessImpl.runInWorkspaceContext(
	at systems.dmx.accesscontrol.AccessControlPlugin.createMembership(
	... 51 more
Caused by: java.lang.RuntimeException: An error occurred in the PostCreateAssoc listener of plugin "DMX Workspaces"
	at systems.dmx.core.impl.EventManager.dispatchEvent(
	at systems.dmx.core.impl.EventManager.fireEvent(
	at systems.dmx.core.impl.AccessLayer.createAssoc(
	... 57 more
Caused by: java.lang.RuntimeException: Assigning association 3821 (typeUri="dmx.accesscontrol.membership") to workspace 5052 failed
	at systems.dmx.workspaces.WorkspacesPlugin._assignToWorkspace(
	at systems.dmx.workspaces.WorkspacesPlugin.postCreateAssoc(
	at systems.dmx.core.impl.CoreEvent$11.dispatch(
	at systems.dmx.core.impl.EventManager.dispatchEvent(
	... 59 more
Caused by: systems.dmx.core.service.accesscontrol.AccessControlException: user "admin" has no WRITE permission for object 5052
	at systems.dmx.accesscontrol.AccessControlPlugin.checkAccess(
	at systems.dmx.accesscontrol.AccessControlPlugin.checkWriteAccess(
	at systems.dmx.accesscontrol.AccessControlPlugin.checkTopicWriteAccess(
	at systems.dmx.core.impl.CoreEvent$3.dispatch(
	at systems.dmx.core.impl.EventManager.dispatchEvent(
	at systems.dmx.core.impl.EventManager.fireEvent(
	at systems.dmx.core.impl.AccessLayer.checkTopicWriteAccess(
	at systems.dmx.core.impl.TopicModelImpl.checkWriteAccess(
	at systems.dmx.core.impl.DMXObjectImpl.checkWriteAccess(
	at systems.dmx.workspaces.WorkspacesPlugin.checkAssignmentArgs(
	at systems.dmx.workspaces.WorkspacesPlugin._assignToWorkspace(
	... 62 more

Aug 19, 2021 4:41:33 PM systems.dmx.core.impl.TransactionFactory$TransactionResourceFilter$2 filter
WARNING: ### Rollback transaction of systems.dmx.accesscontrol.AccessControlPlugin#createMembership()

Now we’re talking!

I’ll fix this very soon. We could release it as 5.2.1 then.

Thank you for posting!

This is now fixed (#489).

Programmatically by calling AccessControlService.createMemberShip(): no restrictions apply. Every user can create memberships.

This is now fixed as well: in order to create a Membership the current user needs WRITE access to the given workspace.

The fixes will be released soon.

Hi Jörg,
yes, the exception you saw is exactly what I was seeing on my end. Sorry I could not provide a stacktrace, I only saw it in the debugger’s stack frames.

Good that it could be fixed!

Big plus if the updated DMX could be retrieved through some public maven repo again.