JavaClient authentication error blocks ECO approval workflow for delegated users in ECO Management

We’re experiencing authentication failures in JavaClient when delegated users attempt to approve ECOs in our workflow. Our setup has primary approvers delegating authority to backup users during vacation periods, but these delegated users consistently receive authentication errors.

The error appears in JavaClient logs:

Authentication failed: user privileges insufficient
at com.agile.pc.cmserver.base.CMServer.authenticate()
Workflow approval matrix validation error

The delegated users have proper roles assigned in User Management and can log in successfully to Web Client. However, JavaClient approval actions fail specifically for delegated approvals. We’ve verified the workflow approval matrix includes both primary and delegated user roles, but the authentication check seems to ignore delegation relationships. This blocks our ECO approval process during coverage periods. Anyone encountered this JavaClient delegation issue?

Your issue requires addressing all three components: delegated approval configuration, JavaClient user roles, and workflow approval matrix settings.

Delegated Approval Configuration: First, verify delegation is properly configured in User Management. For each primary approver, go to User Management > User > Delegation tab. Ensure ‘Delegate Workflow Approvals’ checkbox is enabled and the delegation period covers your timeframe. Critical point: delegation must be saved and activated BEFORE the delegated user logs into JavaClient.

JavaClient User Roles: The authentication error occurs because JavaClient validates workflow privileges differently than Web Client. Your delegated users need these specific role assignments:

// Required role privileges for JavaClient workflow approval:
- Role: Change Analyst (or equivalent)
- Privileges: "Approve Changes", "Modify Change Orders"
- Workflow Access: Explicit inclusion in ECO approval matrix

Go to Admin > Users and Roles > Roles, edit the role assigned to delegated users, and verify under Privileges tab that workflow approval privileges are explicitly granted, not inherited.

Workflow Approval Matrix: This is the key fix. Edit your ECO workflow (Admin > Workflows > ECO). In the approval node configuration, the approval matrix must list ALL roles that can approve, including delegated user roles. JavaClient doesn’t dynamically resolve delegation - it checks if the user’s current role appears in the matrix.

Modify your approval matrix from:

Approval Matrix: [Engineering Manager Role]

To:

Approval Matrix: [Engineering Manager Role] OR [Senior Engineer Role] OR [Engineering Lead Role]

Include every role that delegated users might have. This allows JavaClient’s authentication check to pass when it validates the user’s actual assigned role against the matrix.

Additional Configuration: In agile.properties, verify:

com.agile.pc.cmserver.workflow.validateDelegation=true
com.agile.pc.cmserver.workflow.allowDelegatedApproval=true

After making these changes:

1. Have delegated users restart JavaClient completely
2. Clear JavaClient cache (delete .agile folder in user home directory)
3. Test approval with a delegated user on a test ECO
4. Check server logs for any remaining privilege validation errors

The root cause is JavaClient’s strict privilege validation that doesn’t follow delegation chains like Web Client does. By explicitly including delegated user roles in the workflow matrix, you bypass the delegation resolution issue. This approach maintains security while enabling your backup approval process to function in JavaClient.

If issues persist after these changes, check your Agile server logs (agile.log) during a failed approval attempt - look for ‘PrivilegeValidationException’ entries that will show exactly which privilege check is failing.

Check the privilege masks on your delegated users. Even if they have the correct roles, JavaClient validates specific privilege bits for workflow approvals. Log into Admin as a user with full privileges, go to User Management, select one of the failing delegated users, and review their Effective Privileges tab. Look for ‘Approve Changes’ and ‘Modify Change Orders’ privileges - these must be explicitly granted, not just inherited through role delegation. The authentication error you’re seeing is actually a privilege validation failure that JavaClient reports as an authentication issue.

We had this exact problem last year. The authentication error occurs because JavaClient’s workflow validation doesn’t properly resolve delegation relationships when checking approval authority. You need to modify the workflow approval matrix to include the specific roles assigned to delegated users, not rely on the delegation mechanism alone. Also verify that your JavaClient version matches your server version - we found mismatched versions caused inconsistent delegation behavior between Web and Java clients.

This is a known JavaClient limitation with delegated workflow approvals. The issue is that JavaClient performs a stricter privilege check than Web Client, validating against the workflow approval matrix directly rather than considering delegation chains. Your delegated users need explicit workflow privileges, not just inherited through delegation. I’d recommend adding a custom ‘Backup Approver’ role to your approval matrix as a workaround.

I’ve seen similar delegation authentication issues. The problem often stems from JavaClient caching user privileges at login time without refreshing when delegation relationships change. When a user is delegated approval authority, JavaClient doesn’t automatically pick up the new privilege set. Try having the delegated users completely restart JavaClient after delegation is assigned - this forces a fresh authentication and privilege load.

Check your workflow approval matrix configuration carefully. For delegated approvals to work in JavaClient, the workflow must explicitly include the delegated user’s role, not just rely on the delegation relationship. Go to Admin > Workflows, edit your ECO workflow, and verify that the approval node includes both the primary approver role AND any roles assigned to potential delegates. Also confirm in User Management that delegation is set to ‘Include Workflow Approvals’ not just ‘General Delegation’. The authentication error suggests the workflow matrix isn’t recognizing the delegate’s authority.