IDM UI: access denied

Hi,
<br \>
I transported my configuration to a production environment and my IDM Webdynpro's are showing access denied.
This is the error in the defaulttracefile:
<br \><br \>
Full Message Text
<br \><br \>
Exception getting tab visibility
[EXCEPTION]
com.sap.idm.jmx.exceptions.IdmException: Access denied
at com.sap.idm.jmx.ic.EntryUtil.getTabVisibility(EntryUtil.java:1746)
at com.sap.idm.jmx.impl.SAP_ITSAM_IDM_Service_Impl_Impl.retrieveTabs(SAP_ITSAM_IDM_Service_Impl_Impl.java:1369)
at com.sap.idm.jmx.SAP_ITSAM_IDM_ServiceWrapper.invoke(SAP_ITSAM_IDM_ServiceWrapper.java:450)
at com.sap.pj.jmx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:944)
at com.sap.pj.jmx.server.interceptor.MBeanServerWrapperInterceptor.invoke(MBeanServerWrapperInterceptor.java:288)
at com.sap.engine.services.jmx.CompletionInterceptor.invoke(CompletionInterceptor.java:409)
at com.sap.pj.jmx.server.interceptor.BasicMBeanServerInterceptor.invoke(BasicMBeanServerInterceptor.java:277)
at com.sap.jmx.provider.ProviderInterceptor.invoke(ProviderInterceptor.java:258)
at com.sap.engine.services.jmx.RedirectInterceptor.invoke(RedirectInterceptor.java:340)
at com.sap.pj.jmx.server.interceptor.MBeanServerInterceptorChain.invoke(MBeanServerInterceptorChain.java:330)
at com.sap.engine.services.jmx.MBeanServerSecurityWrapper.invoke(MBeanServerSecurityWrapper.java:287)
at com.sap.engine.services.jmx.ClusterInterceptor.invoke(ClusterInterceptor.java:776)
at com.sap.pj.jmx.server.interceptor.MBeanServerInterceptorChain.invoke(MBeanServerInterceptorChain.java:330)
at com.sap.idm.wd.jmx.SAP_ITSAM_IDM_Service$Impl.retrieveTabs(SAP_ITSAM_IDM_Service.java:434)
at com.sap.idm.wd.modelwrapper.ModelWrapperInterface.getTabVisibility(ModelWrapperInterface.java:478)
at com.sap.idm.wd.modelwrapper.wdp.InternalModelWrapperInterface.getTabVisibility(InternalModelWrapperInterface.java:184)
at com.sap.idm.wd.modelwrapper.wdp.InternalModelWrapperInterface$External.getTabVisibility(InternalModelWrapperInterface.java:351)
at com.sap.idm.wd.wf.toptab.TopTab.InitializeContext(TopTab.java:372)
at com.sap.idm.wd.wf.toptab.wdp.InternalTopTab.InitializeContext(InternalTopTab.java:216)
at com.sap.idm.wd.wf.toptab.TopTabView.wdDoInit(TopTabView.java:101)
at com.sap.idm.wd.wf.toptab.wdp.InternalTopTabView.wdDoInit(InternalTopTabView.java:186)
at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.doInit(DelegatingView.java:61)
at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
at com.sap.tc.webdynpro.progmodel.view.View.initController(View.java:445)
at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
at com.sap.tc.webdynpro.progmodel.view.ViewManager.getView(ViewManager.java:709)
at com.sap.tc.webdynpro.progmodel.view.ViewManager.bindRoot(ViewManager.java:579)
at com.sap.tc.webdynpro.progmodel.view.ViewManager.init(ViewManager.java:155)
at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.doOpen(WebDynproWindow.java:295)
at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.show(ApplicationWindow.java:182)
at com.sap.tc.webdynpro.clientserver.window.ApplicationWindow.open(ApplicationWindow.java:177)
at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:364)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:754)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:289)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doGet(DispatcherServlet.java:46)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
<br \><br \>
I checked the configuration again and again:<br \>
1. We are using a user that is created in the UME. This user is known in the IDM ID store and is member of the privileges:<br \>
- MX_PRIV:WD:TAB_HISTORY<br \>
- MX_PRIV:WD:TAB_MANAGE<br \>
- MX_PRIV:WD:TAB_REPORT<br \>
- MX_PRIV:WD:TAB_TODO<br \>
2.Visual admin<br \>
- The ID of the used ID store is 3.<br \>
- The DB connection is working<br \>
3. Version info of the webdynpro is exactly the same as the development environment.<br \>
4. We allready did an undeploy, restart, deploy & restart ...<br \>
<br \><br \>
What are we missing?<br \>
<br \><br \>
kr,<br \>
Joachim

Hi,
All configuration seems correct.
IDStore is set.
When I try with a user who's not in the IDStore, I can see an other error message in the logfile:
No user found with username=USERNAME.
When I start the Searchentry-webdynpro (tcidmwdworkflow/SearchEntry and not tcidmwdworkflow/idm) , I can execute all tasks with the valid user.
Version is 7.0 (same version as on development server and there it's working)
kr,
Joachim

Similar Messages

  • SAP IDM 7.1 ACCESS DENIED accessing the IDM interface

    Hello,
    I have finished configuring my IDM 7.1 . But when i try to access to the IDM webpage it gives me
    ACCESS DENIED
    SERVICE IS DOWN .
    And this happens despite I have gave to the user all the authorizations of the installation guide.
    I tried even the function ADD USER into the identity store but still no success.
    Someone of you experienced the same issue?
    Kind Regards

    Hello,
    however your input was useful . My problem was related to the JDBC configuration . I have deleted and recreated completely the jdbc connection . 
    After that  the error went away. I faced another error  telling me " No identity stores defined for workflow" .
    I used this link creating another Identity Store and everything went good. 
    For the ones tha could face the same problem here is the link :
    http://wiki.sdn.sap.com/wiki/display/Security/NWIDM7.0-WorkingwithWorkflowsPartI

  • IDM User Interface: Access Denied, Service Down

    Hello,
    I have a problem with the login to the IDM UI. I get the message: "Access denied, Service down".
    In the userinterface_00.0.log following information is stored:
    #2.0 #2010 08 10 12:40:19:898#0-700#Info#/System/UserInterface#
    #BC-WD-JAV#tc~wd~webdynpro#0003FF252E3400A600000009000003D8#1050550000000004#sap.com/tc~idm~wd~workflow#
    com.sap.tc.webdynpro.services.session.SynchronizedScopeMaintainer#Administrator#9##
    164C6500A4B711DF93E60003FF252E34#f8874f50a4b411dfbe830003ff252e34#f8874f50a4b411dfbe830003ff252e34#0#
    Thread[HTTP Worker [@25656386],5,Dedicated_Application_Thread]#Plain##
    Deprecated scope of type SERVERSESSION_AT_LEAST_ONE_APP_SCOPE is used! Please replace the usage of scopes
    with new mechanism based on "Cross application session communication API".#
    Can anyone help me please...?!

    Hi Sony,
    Judith and me use CE 7.2, too. We downloaded the components under this link: https://websmp110.sap-ag.de/support
    Choose the following path:
    Support Packages and Patches - Entry by Application Group" SAP NetWeaver and complementary products" SAP NW IDENTITY MANAGEMENT" SAP NW IDENTITY MANAGEMENT 7.1
    There we downloaded:
    - ICDESIGNTIME05_1-10007480.ZIP
    - ICRUNTIME05_0-10007481.ZIP
    - IDMIC05_0-10007483.SCA
    Maybe this helps you...

  • View access denied to Subject Reset on Policy

    Hi, there.
    I created a custom workflow so that anonymous user can launch the workflow, then start creating an account.
    During the workflow activity, the first form is asking user to enter the accountID of his/her choice, and the form has a validation logic to catch any conflict with the accountId policy. (for example, the accountID must be at least 4 character long)
    <Rule name='Validate String With AccountId Policy'>
    <Description>returns "true" if validation succeeded. returns error message if validation failed.
    </Description>
    <RuleArgument name='string'/>
    <block trace="true">
    <invoke name='checkStringQualityPolicy' class = 'com.waveset.ui.FormUtil'>
    <rule name='getCallerSession'/>
    <s>AccountId Policy</s>
    <ref>string</ref>
    <null/>
    <null/>
    <s>user</s>
    </invoke>
    </block>
    </Rule>
    The validation rule specified above works well if the form is used by the existing IDM admin user, however, this throws an exception when the form is used by the anonymous user.
    XPRESS <invoke> exception:
    com.waveset.util.WavesetException: Can't call method checkStringQualityPolicy on class com.waveset.ui.FormUtil
    ==> com.waveset.util.WSAuthorizationException: View access denied to Subject Reset on Policy: AccountId Policy.
    It seems like the anonymous user does not have any access right to Policy objects.
    Does anyone know how to get around this problem?
    In worst case, I can create another rule that is checking the string length, but I really wish I can take advantage of the built-in policy checking routine.
    Thanks for reading my post. :)

    Can you use the <RunAsUser> functionality within your rule?
    To use it you add this inside the <Rule>
    <RunAsUser>
    <ObjectRef type='User' name='Configurator'/>
    </RunAsUser>
    More information can be found in IDM FAQ.
    HTH..

  • End User Rule View Access Denied

    Hi,
    This has been discussed here, but after trying all possible options it still doesn't seem to be working.
    I am using a rule in a end user task, which throws "View Access Denied to Subject on Rule" error.
    I've set the rule authType to "EndUserRule" and
    <ObjectRef type='ObjectGroup' id='#ID#All' name='All'/>
    for MemberObjectGroups.
    Still it would keep throwing same error. I even used:
    <RunAsUser>
    <ObjectRef type='User' id='#ID#Configurator' name='Configurator'/>
    </RunAsUser>
    Still not success.....??? Any idea what could be wrong?
    I am using IdM Version 5.5
    -Thanks

    Hmmm...
    Seems to be working now...all I did was a restarted the application server??? Tried the same steps again in a different environment, and worked without a restart. Must be something odd with one particular environment.
    -Thanks though for the reply!
    -\

  • Java.security.AccessControlException: access denied (oracle.security.jazn.J

    Hi All.
    I am calling the getIdentityStoreFactory() method in the IdentityStoreFactoryBuilder class and I am getting the following error:
    oracle.security.idm.ConfigurationException: java.security.AccessControlException: access denied (oracle.security.jazn.JAZNPermission getOC4JIntegrationData)
    Any ideas what is going on and any possible fixes?
    thanks
    james

    I will move it to the OC4j and J2ee forum.
    Thanks for bring it to my attention.
    Message was edited by:
    user480263

  • Provisioning RSA  ------ Excepti (login)Sd_ContinueLoginError Access Denied

    hey please help me in this
    I am trying to provision users to RSA 5.2 from SUN IDM 6.0, I am using when I provision a user to RSA it says
    com.waveset.util.WavesetException:SecurId ACE/Server:(login)Sd_ContinueLoginError Access Denied
    I have seen that server is running and edited system parameters of RSA to accept user passwords for administrator login.

  • URGENT - ACTIVESYNC - Create access denied to Subject XYZ

    I am running a flatfile activeSync. Adapter stautus indicates .. Executing. When i look at the ActiveSync log file all, I can see all the mapped attributes being pulled in correctly. But no user is created in IDM. The log file shows 'Create Access Denied to Subject Configurator on User:<accountid>.
    I have tried to run activesync using other activesync proxy users with all admin rights and Configurator. Still the same error.
    Why? How do I fix it?
    Thank you in advance for your help.

    when u choose "assign resource" option, you will see this problem.
    Usually the active Sync Polled accounts does not require a resouce name in user objects.
    Hope I am making sence
    --sFred                                                                                                                                                                                                                                                                                                                                                                                           

  • View access denied to Subject  on TaskDefinition:

    I cloned an existing workflow and just changed the name of the task definition and imported into IDM.
    when I tried to execute it I am getting the following error message
    View access denied to Subject xxxxxon TaskDefinition: DSRS - New Request-new2.
    Any ideas?

    If you are trying to run a workflow in the User Interface, you'll need to add your workflow into the End User Tasks configuration file.
    Best,
    Aidy
    httpp://www.waveset.allidm.com

  • Report generation failed----​error code:-1720​5; Access Denied.

    Hi, All
        i have a trouble about report generation.it seems the error happened at the "write UUT report"--this step is teststand report generation'DLL.
        detail:
        An error occurred calling 'Save' in 'Report' of 'NI TestStand 2010 SP1 API'
    Access Denied.. Error writing to file 'D:\program\seq\xxx.xml'.
    The file might be open in another application. If file access is intermittently denied, you should try disabling the Microsoft FindFast utility. 
        error code:-17205; Access Denied.
        locationtep 'Write UUT Report' of sequence 'Single Pass' in 'SequentialModel.Seq'
        How to fix it?
        Thanks a lot.
    BR

    Hm, it looks like the file might be open in another application. If you see that file accesss is intermittently denied, you should try disabling the Microsoft FindFast utility.
    CTA, CLA, MTFBWY

  • Access denied error while writing a file to the file system - myfileupload.saveas() throws system.unauthorizedexception

    hi,
    as part of my requirement , i have to perform read and  write  operations of  few files [ using the file upload control in my custom visual web part] and on submit button click.
    but while writing these files - with the help of  fileupload control - and when i use  myfileupload.saveas(mylocation);
    - i am saving these files into my D:\ drive of my server , where i am executing my code -, am getting access denied error.
    it throws system.unauthorizedexception.
    i have given full control on that folder where i was trying to store my attached files. and also  after following asp.net forums,
    i have added  iusr group added and performed all those steps such that, the file is saved in my D:\ drive.
    but unfortunately  that didnt happen.
    also
    a) i am trying the code with runwithelevatedprivileges(delegate() )  code
    b) shared the drive within the  d :drive where i want o save the files.
    c) given the full privieleges for the app pool identity- in my case , its
    network service.
    the  other strange thing is that, the same code works perfectly in  other machine, where the same sp, vs 2012  etc were installed .
    would like to know, any other changes/ steps i need to make it on this  server, where i am getting the  error.
    help is  appreciated!

    vishnuS1984 wrote:
    Hi Friends,
    I have gone through scores of examples and i am failing to understand the right thing to be done to copy a file from one directory to another. Here is my class...So let's see... C:\GetMe1 is a directory on your machine, right? And this is what you are doing with that directory:
    public static void copyFiles(File src, File dest) throws IOException
    // dest is a 'File' object but represents the C:\GetMe1 directory, right?
    fout = new FileOutputStream (dest);If it's a directory, where in your code are you appending the source file name to the path, before trying to open an output stream on it? You're not.
    BTW, this is awful:
    catch (IOException e)
    IOException wrapper = new IOException("copyFiles: Unable to copy file: " +
    src.getAbsolutePath() + "to" + dest.getAbsolutePath()+".");
    wrapper.initCause(e);
    wrapper.setStackTrace(e.getStackTrace());
    throw wrapper;
    }1) You're hiding the original IOException and replacing it with your own? For what good purpose?
    2) Even if you had a good reason to do that, this would be simpler and better:
    throw new IOException("your custom message goes here", e);
    rather than explicitly invokign initCause and setStackTrace. Yuck!

  • The system failed to merge, error code : General Access denied

    The system failed to merge, error code : General Access denied. Could anyone help me on this

    Hi,
    It could be several things, I think it could be a good start with the following page:
    https://blogs.technet.com/b/chrad/archive/2009/10/02/differencing-disks-merging-80070005-error-just-one-persons-lesson-learned.aspx
    If that doesn't help you could check out the following technet page to see if it is a permission problem. (it is not exactly  the same problem but one of our customers once had the same problem and we solved it with the follwing KB:http://support.microsoft.com/kb/2249906/en-us
    Hope this helps you out.

  • Folder Redirection 502 Access Denied but redirecting to wrong place

    Hi,
    I have come across a very unusual problem.  Folder redirection was implemented a few months ago where a number of folders were redirected with the following settings:
    Redirect everyones folder to the same location
    Create a folder for each user under the root path
    \\server\homefolders
    It has worked flawlessly but in recent weeks when we create new users, some of them experience this problem.  Folder redirection fails consistently for that user with 502 Access denied.  That isn't the unusual bit.  This is the unusual bit
    - The message is:
    Failed to apply policy and redirect folder "Documents" to "\\fileserver\homefolders\joe.bloggs\Documents".
    Redirection options=0x1001.
    The following error occurred: "Failed to build the list of regular subdirectories under "\\fileserver\homefolders\Jane.Doe\Documents".".
    Error details: "Access is denied.
    Yes for some reason it knows where it should be redirecting to, but then attempts to redirect to someone elses home folder location.  I've substituted the server name and user names for security but the name equivalent to Jane.Doe is consistent in every
    error.
    This only occurs on our RDS 2012 R2 farm, which has 3 session hosts and doesn't happen on any other system.  We use roaming profiles.  I have logged the user off and deleted the local and network profiles but get the same result.  I've
    rebuilt the GPO that handles folder redirection, but again, same result.  I've checked and double checked Folder Redirection settings and nothing points to a this specific Jane.Doe user.
    Anyone come across this before?

    Hi,
    I have come across a very unusual problem.  Folder redirection was implemented a few months ago where a number of folders were redirected with the following settings:
    Redirect everyones folder to the same location
    Create a folder for each user under the root path
    \\server\homefolders
    It has worked flawlessly but in recent weeks when we create new users, some of them experience this problem.  Folder redirection fails consistently for that user with 502 Access denied.  That isn't the unusual bit.  This is the unusual bit
    - The message is:
    Failed to apply policy and redirect folder "Documents" to "\\fileserver\homefolders\joe.bloggs\Documents".
    Redirection options=0x1001.
    The following error occurred: "Failed to build the list of regular subdirectories under "\\fileserver\homefolders\Jane.Doe\Documents".".
    Error details: "Access is denied.
    Yes for some reason it knows where it should be redirecting to, but then attempts to redirect to someone elses home folder location.  I've substituted the server name and user names for security but the name equivalent to Jane.Doe is consistent in every
    error.
    This only occurs on our RDS 2012 R2 farm, which has 3 session hosts and doesn't happen on any other system.  We use roaming profiles.  I have logged the user off and deleted the local and network profiles but get the same result.  I've
    rebuilt the GPO that handles folder redirection, but again, same result.  I've checked and double checked Folder Redirection settings and nothing points to a this specific Jane.Doe user.
    Anyone come across this before?

  • I keep getting this error in Dreamweaver when I am trying to upload my website?  Can you tell me what I am doing wrong?  here is the error message: /html - error occurred - Unable to create remote folder /html.  Access denied.  The file may not exist, or

    I keep getting this error in Dreamweaver when I am trying to upload my website?  Can you tell me what I am doing wrong?  here is the error message: /html - error occurred - Unable to create remote folder /html.  Access denied.  The file may not exist, or there could be a permission problem.   Make sure you have proper authorization on the server and the server is properly configured.  File activity incomplete. 1 file(s) or folder(s) were not completed.  Files with errors: 1 /html

    Nobody can tell you anything without knowing exact site and server specs, but I would suspect that naming the folder "html" wasn't the brightest of ideas, since that's usually a default (invisible) folder name existing somewhere on the server and the user not having privileges to overwrite it.
    Mylenium

  • SharePoint 2010 - Claims Based Authentication - Access Denied for AD Group members

    We're in the process of migrating our SharePoint 2003 system to 2010 and have used Metavis to migrate the data. We had to do the data migration in a lab environment and then move/attach the content database to our production server. The database attached successfully
    and I, as a site collection administrator, can see all sites and the data therein. We are using claims-based auth with ADFS 2.0 as the provider.
    My users, however, get access denied trying to go anywhere on the site. I have added the Active Directory groups to the appropriate SharePoint groups and have confirmed the groups are appearing with the c:0-.t|adfs|group_name syntax. If I add them as individual
    users (i:05.t|adfs|[email protected]) they can authenticate fine, but not by AD group membership.
    I enabled ADFS tracing and I see that the claim being provided includes the SIDs for all the groups the user belongs to. Using ULS Viewer I can see that SharePoint sees the correct number of claims (it doesn't show what those claims are, just the number) but
    it doesn't seem to be connecting the SIDs passed to the group name used in the permissions list. I have also updated the portalsuperreader and portalsuperuser accounts after the database was moved, just in case there was something weird there.
    The ADFS and SharePoint servers are all in the same AD domain, so they should be able to resolve SIDs ok. I suspect the issue is somehow related to the migration of the content database from a separate
    environment (different domain), but I can't figure out for the life of me how to get the group authentication to work.
    Thoughts?

    Brilliant idea. Unfortunately that didn't work - I can get to the new site as the site collection owner, but members of groups to which I assigned permissions still get Access Denied. :-(

Maybe you are looking for