RG052 – How NOT to use Workspace Containers

By Max Ranzau

Usually what happens when someone starts out with RES Workspace Manager, and stumble over the User Context | Workspace Containers, they’ll go “Hey, cool! – I’m gonna make myself a Admin Workspace Container, where I’ll stick all the admin tools in!” So merry as you are, you go ahead and create the container, ensuring that only your admin group can access it. If you are running production at this point you’re in for a rather nasty surprise. All your regular users won’t be able to log in! They will get this little number:

workspace-container-no-access

Here’s the text, so the search engines can pick it up: “One or more applicable workspace containers were found, but access was not granted. Now logging off session.” Suprising as this might be to some, it’s actually per design. The design rationale is that workspace containers are able to double as a security principle limiting devices to a group of users. In other words, you can use the workspace containers to restrict users from accessing certain computers on the premise.

To make sense of the whole thing, try and remember the following ground rules:

  • Workspace containers are NOT groups.
  • Let’s repeat that one more time: Workspace containers are NOT groups.
  • If one or more workspace containers are defined, at least ONE must be active/accessible to allow access to the session.
  • Multiple workspace containers can overlap, being active in a session
  • All of the above are true regardless if any exceptions (see this article) or configuration items have been assigned to the workspace containers

So, in short if you want to use the workspace containers, make sure that no users fall in the cracks between your workspace containers. Alternatively, you could just create a Catch-All container with the Computer Control tab checkbox “Add all computers to the workspace container” and Access Control set to Everyone and no Zones defined. While this will prevent you from limiting access to certain computers, this at least will ensure that all users at least will have one active workspace container defined.

 

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

Comments are welcome as always. Just do the math below. * Time limit is exhausted. Please reload the CAPTCHA.