Dynamic Access Policy Customization for Antivirus issues??

Similar Messages

• Dynamic access policy ACL not beeing applied to user

  Hi all
  I have just configured my ASA for ssl vpn
  I have created a dynamic access policy with an ACL in it.
  The user connects fine, and I can see on the logs that the DAP policy has applied to the user
  However when I click on monitoring, it says no acl is applied to this session, and the client cannot get anywhere
  why would this be?
  cheers
  Carl

  When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)?  These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
  Also, is your default policy at that bottom of this list deny access?

• Dynamic Access Policy ACL Logging

  We use dynamic access policy's with Network ACLs to restrict specifics users access to what they need over the VPN. The ACL's get applied to the users as they should for the most part working as they should. I am in the process of troubleshooting an ACL now that tied to a DAP and I cant find any way of logging the drops (or allows) from the ACL being used for DAP.

  When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)?  These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
  Also, is your default policy at that bottom of this list deny access?

• LDAP (openldap) authorization with DAP (dymamic access policy)

  Hello,
  We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.

  Hi
  I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
  Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
  Hth
  Herbert
  Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.

• How can we force the access policy to be re-triggered?

  Hello,
  I set up the access policy (AP) for the dbat connector (with Retrofit).  The AP was triggered correctly to give resource DBAT to the user.  When the user login changed, I called "Delete User" in the dbat connector and the resource is revoked from the user.
  My goal is for the AP to be triggered so that a new dbat account is created for the user with the username.
  However, the AP is not triggered again.  I tracked this by selecting the policy_eval_needed in the user_provisioning_attrs table (1 access policy will be re-evaluated, 0 AP not evaluated).
  Is there a way for me to force the AP to be re-evaluated?
  Thanks
  Khanh

  How are you triggering the Access policy Assignation?
  Hopefully ,if this is governed by the grant and revoke of role, you may first revoke the role for the account which is already revoked and grant the same role again.
  As the previous account was in revoked status, a new account would be provisioned for the DBAT connector. Grant and revoke of role can be done through the SElf Service UI or a custom scheduled task.
  Regards,
  Arvind

• Issue with UAG/TMG communication to published SharePoint application is blocked by access policy settings

  We have a UAG/TMG server set up with SharePoint published. The UAG is also doing load balancing for the SharePoint farm. We have an MDM application that is trying to connect to our SharePoint but our SharePoint is routed through the UAG. The MDM application
  does not need to be published neither is there any component that can be accessed directly by end users. It is more of a proxy to relay content to mobile devices. It is using 443 and two other secondary ports.
  On the TMG logs, we can see requests hitting the TMG over port 443 from the MDM application server. We can also see that it is trying to be routed to our SharePoint but we get the following error in the TMG log:
  “Filter information: A request from source IP address xx.xx.xx.xx, user to trunk portal; Secure=1 for application SharePoint of type SharePoint15 failed. The endpoint device does not comply with access policy settings ([%PolicyId%]) for session [%SessionId]”
  The source IP is the internal IP of the host running the MDM application. In the UAG side, under the SharePoint publishing rule, for Access Policy Settings we have tried selecting the 'Always' option but that had no effect. It appears like there is a policy
  blocking communication to SharePoint. Does anyone have a suggestion on which policy or where the policy that is controlling this is located so that we can try to resolve this issue? Thanks.

  Looking at the UAG Web Monitor, it says that the access policy is 'Hybrid_Default_Session_Access' and the URL is /_vti_bin/Webs.asmx. 
  We can't find a 'Hybrid Default Session Access' policy. In the Endpoint Policy Settings tab, we tried using 'Always' for the Access Policy for the published SharePoint application but that did not make any difference. 

• Access Policy Issues on WRT600N

  I dunno what the deal is but I am having issues setting up an access policy for a computer on my network. I added the ip address of the computer that I want to set restrictions on to the list of "applied pc's", then set "Allow" internet access, "everyday", "24 hours", block website "www.yahoo.com". Then I enabled and clicked save.
  The problem is that after I enable this policy NONE of my other computers on the network get internet access AT ALL anymore. The computer that I set the policy on gets internet access and yahoo.com is blocked. But like I said none of my other computers can get access while this policy is enabled.

  This is EXACTLY what my router is doing...
  2) Access restrictions do not work, PERIOD...."ALLOW" will disable internet access for the entire subnet (regardless of the rule), and "DENY" will prevent uploading of file attachments to hotmail, myspace, facebook etc....for every computer on the subnet.
  Message Edited by DSMKilla on 10-26-2008 11:08 AM
  (Edited post for guideline compliance. Thanks!) 
  Message Edited by JOHNDOE_06 on 10-26-2008 11:39 AM

• Access policy issues and daylight savings

  I have the WRVS4400N. I have purchased a few Linksys routers in the past and have been happy with their operation. The wireless access however, was mediocre until I purchased this model. This model has great a great wireless connection. I like the fact that I can make many changes to the settings on the router without having to reboot the router. The performance of this router in combination with the cable modem has been excellent. It far outperforms the equipment that it replaced. I will normally pick a linksys product over another brand.
  I am having 2 intermittent issues that are really causing me grief and an additional couple of annoying issues. I need help in fixing these issues. I have confirmed that I have the latest firmware version.
  1) Some computers do not have connection to the internet. As if the security policy is confused about the time or connection. I really think this is a security policy issue, but I will let you decide.
  2) There are some computers that I allow a 24/7 connection to the internet. For the rest I don’t want them to have access between the hours of 12a-6a. I have found that the connection doesn’t always shut-off. I have kids and do not want them to have access during those hours. I never had problems with my previous linksys router.
  3) I am unable to set an access policy that spans the 5 min between 11:55p and 12a. In my previous linksys router I could.
  4) The new daylight savings schedule is not part of my current firmware. This really threw off my security policies.
  I have found that if I reboot or if I simply goto the security policy screen and click on save settings it seems to correct itself. But, I shouldn’t have to babysit it to make sure that it’s working correctly. When I am out of town I need to know that my security policies will continue to work while I am away.
  Here’s my set up:
  1) I have a linksys cable modem that connects me to the internet through my cable provider.
  2) I have the linksys wireless (WRVS4400N) router that connects to the cable modem.
  3) I have a 3Com Superstack II switch as the backbone of my network which connects to the router.
  4) I have several devices connected to this router: computers, xbox, vonage phone line.

  This is EXACTLY what my router is doing...
  2) Access restrictions do not work, PERIOD...."ALLOW" will disable internet access for the entire subnet (regardless of the rule), and "DENY" will prevent uploading of file attachments to hotmail, myspace, facebook etc....for every computer on the subnet.
  Message Edited by DSMKilla on 10-26-2008 11:08 AM
  (Edited post for guideline compliance. Thanks!) 
  Message Edited by JOHNDOE_06 on 10-26-2008 11:39 AM

• RVS4000 Internet Access Policy issues after FW upgrade to 1.3.3.5

  Hi,
  we run a small home/business network using an RVS4000v1. Everything is pretty simple and straight forward. We use 10 different Internet Access Policies (IAP) that's it. We recently upgraded the Firmware to 1.3.3.5.
  Since then all IPaddresses (that is 2 IPaddresses in total) that have 24 hr access to the internet will get cut off the internet just before/around midnight. All IAPs that use a time window (e.g. 8:00 AM to 10:00 PM) are working fine (also on the next day).
  The web GUI still works and the status of the routers still says its up and the WAN access is up as well. We have to reboot the router (through the webGUI) to get 24hr access again or save the same IAP again.
  Reading the release note for FW 1.3.3.5 I note that there is a know issue with IAP.
  >>QUOTE
  The second Internet access policy does not work.
  Work Around: Configure only one Internet access policy within a 24-hour
  interval.
  >>UNQUOTE
  I am just not sure how to read it.
  Is it only the second IAP that has the issue (and the IAP numbers 3 to 10 do not)? Or will only ONE IAP work and no others?
  Or is the second policy that uses a 24hr setting meant to be the issue? If this was the case, could a work around be to set the time from 00:05 AM to 11:55 PM (or in my case 00:05 to 23:55)?
  We appreciate your help
  Andy

  Friends,
  The issue is resolved. I just switched off my phone and removed the battery. Inserted the battery after a minute or so and everything seems to be fine. Even the available memory shown is around 25.15 GB.I had even forgotten to take a backup before upgrading to PR 1.3. Still all my Photos,Videos,Documents are as they were before upgrading.
  Thankfully i can heave a sigh of relief now
  Cheers,
  Goks

• Dynamic Availability Check for Goods Issue,Transfer Posting

  Dear All,
  Can anyone explain the Dynamic Availability Check??
  I mean the relevance on setting this indicator for a mov.type?
  In OMCM & OMCP I have defined a Checking Rule & also assigned the same to a Mov.type as well the transaction code?
  whether the Dynamic Availability Check concept is same in case of sales ie Say I have a Stock of 100 qtys for a material in a plant & in the availability Scope of Check I have ticked the include safety stock.
  In my material master I have a safety stock of 500 qtys.
  So when I do a transfer posting for this material with Qty as 200, System should allow me do proceed as in my availability check I have enabled the safety stock option.
  But this is not happening & I am getting an error message as deficit of stock 100 nos. Also what is use of setting the dynamic availability check indicator for my mov.type as A - Warning message , B - Error Message etc..
  Kindly suggest valuable inputs.
  Thanks & Regards,

  For e.g. there is Available Stock = 1000 qty and safety stock in material master = 500 qty then system will allow you to use 1000 qty only not 1500 qty
  This is only used for availability check purpose whether system it should be considered or not?
  And following indicators means;
  A  W mess. only issued in the case of non-availability
  B  E mess. only issued in the case of non-availability
  E  Message in any case: W mess. for non-avail., otherw. S mess.
  F  Message in any case: E mess. for non-avail., otherw. S mess.
  S  Availability check only with simulation
  The above indicators indicate whether the system is to check for existing material requirements.
  Award appropriately once the thread is answered.

• PF attribute modification in Access Policy for existing users.

  Hi Guys,
  I have an access policy for provisioning a resource. Suppose if I make some changes for the process form attribute value inside the access policy,How can I have the same attribute value reflected in the process form of users who are already provisioned by the access policy?
  Direct database update wont be a good idea here as I am having multiple access policies for the same resource. Is there any table which is having the relation between provisioned resource and curresponding access policy if at all I have to go for a custom scheduled task?
  Thanks,

  Does this solution also supposed to work in OIM 11g? I Tried it but data on the main form does not get reflected on the process form of existing users. For child data it does work.
  Edited by: bsteen on Aug 5, 2011 5:21 AM

• Authorization issue with J2EE Policy Agent for AS7

  Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
  <filter>
  <filter-name>Agent</filter-name>
  <display-name>Agent</display-name>
  <description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
  <filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>Agent</filter-name>
  <url-pattern>/*</url-pattern>
  </filter-mapping>
  The two resources /customer and /admin are subjected security constraints like:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>col2</web-resource-name>
  <url-pattern>/customer</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>customer</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  The role-to-principal mapping is done in the sun-web.xml like:
  <security-role-mapping>
  <role-name>customer</role-name>
  <group-name>customer</group-name>
  <principal-name>amAdmin</principal-name>
  </security-role-mapping>
  <security-role-mapping>
  <role-name>admin</role-name>
  <group-name>admin</group-name>
  <principal-name>amAdmin</principal-name>
  </security-role-mapping>
  Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
  The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
  [21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
  [21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
  [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
  [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
  [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
  [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
  Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
  return the correct grops viz. customer,admin,anyone.
  PLEASE HELP

  -- Second Update --
  After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
  1. Some URL's has to be defined as not enforced.
  com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
  com.sun.am.policy.amFilter.notenforcedList[2]=*.css
  com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
  2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
  /opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
  byPassSignon=TRUE
  defaultUserid="DEFAULT_USER"
  defaultPWD="your password"
  signon_page=amsignin.html
  signonError_page=amsignin.html
  logout_page=amsignin.html
  expire_page=amsignin.html
  However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
  Allow Public Access (cheked)
  User ID : DEFAULT_USER
  Password : your password
  HTTP Session Inactivity : (SSO TIMEOUT)
  and:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
  In section "SignOn/Logout" set the following values:
  Signon Page : amsignin.html
  Signon Error Page : amerror.html
  Logout Page : amsignout.html
  Note: After making any changes on the console; restart PIA (weblogic instance).
  With this the SSO with PeopleSoft is working Ok.
  Message was edited by:
  LpzYlnd

• OIM 11g AD Connector Access Policy Based Provisioning Issue

  Hi,
  I created Approval Policy for Access Policy Based Provisioning request type for request level (autoapproval) and operational level (used standart beneficiaryManagerApproval process), but when the resource must assigned to User,- throws exception when running setAdDn adapter of Process Definition Form:
  Running ISADAM
  Target Class = java.lang.String
  Running Get Attribute Map
  Running AD Create User
  Running ISADAM
  Target Class = java.lang.String
  Running GETUSESSL
  Target Class = java.lang.String
  Running CheckUserStatus
  Running GETATTRIBUTEHASH
  Target Class = com.thortech.xl.util.adapters.tcUtilHashTableOperations
  Running Set User Attribute
  Running Set User Expiration Date
  Running ISADAM
  Target Class = java.lang.String
  Running CheckUserStatus
  Running GETPWDEXPIRESATTRIBUTEHASH
  Target Class = com.thortech.xl.util.adapters.tcUtilHashTableOperations
  Running Set Pwd Expires Attribute False
  Running GETATTRIBUTEHASH
  Target Class = com.thortech.xl.util.adapters.tcUtilHashTableOperations
  Running SETADDN
  [2012-07-19T16:15:52.281+03:00] [oim_server1] [ERROR] [] [XELLERATE.SERVER] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Class/Method: tcDataObj/save Error :Insertion of dataobject into database failed
  [2012-07-19T16:16:34.375+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 0
  [2012-07-19T16:16:55.422+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 1
  [2012-07-19T16:17:12.750+03:00] [oim_server1] [ERROR] [] [XELLERATE.APIS] [tid: OIMQuartzScheduler_Worker-10] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
  [2012-07-19T16:17:14.703+03:00] [oim_server1] [ERROR] [] [XELLERATE.APIS] [tid: OIMQuartzScheduler_Worker-10] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
  [2012-07-19T16:17:15.203+03:00] [oim_server1] [ERROR] [] [XELLERATE.APIS] [tid: OIMQuartzScheduler_Worker-10] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
  [2012-07-19T16:17:15.703+03:00] [oim_server1] [ERROR] [] [XELLERATE.APIS] [tid: OIMQuartzScheduler_Worker-10] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
  [2012-07-19T16:17:16.469+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 2
  [2012-07-19T16:17:37.516+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 3
  [2012-07-19T16:17:58.562+03:00] [oim_server1] [WARNING] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Exception while trying to get the connection count : 4
  [2012-07-19T16:17:58.562+03:00] [oim_server1] [ERROR] [] [XELLERATE.DATABASE] [tid: [STUCK].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 3f3d2d8955322f32:-2e0e6e14:1389f3fa30b:-8000-00000000000000bb,0] [APP: oim#11.1.1.3.0] Class/Method: DirectDB/getConnection encounter some problems: Error while retrieving database connection.Please check for the follwoing[[
  Database srever is running.
  Datasource configuration settings are correct. java.sql.SQLException: Unexpected exception while enlisting XAConnection java.sql.SQLException: Transaction rolled back: Event handler ApprovalInitiation is asynchronous but orchestration is configured as synchronous.
       at weblogic.jdbc.jta.DataSource.enlist(DataSource.java:1616)
       at weblogic.jdbc.jta.DataSource.refreshXAConnAndEnlist(DataSource.java:1503)
       at weblogic.jdbc.jta.DataSource.getConnection(DataSource.java:446)
       at weblogic.jdbc.jta.DataSource.connect(DataSource.java:403)
       at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:364)
       at oracle.iam.platform.utils.vo.OIMDataSource.getConnection(OIMDataSource.java:57)
       at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:200)
       at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:148)
       at com.thortech.xl.dataaccess.tcDataBase.getConnection(tcDataBase.java:3198)
       at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(tcDataBase.java:705)
       at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(tcDataBase.java:271)
       at com.thortech.xl.dataobj.tcDataBase.readStatement(tcDataBase.java:221)
       at com.thortech.xl.dataobj.tcDataBase.getError(tcDataBase.java:700)
       at com.thortech.xl.dataobj.tcDataObj.handleError(tcDataObj.java:1197)
       at com.thortech.xl.dataobj.tcDataObj.handleError(tcDataObj.java:1140)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:487)
       at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(tcORC.java:844)
       at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(tcORC.java:1159)
       at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(tcOrderItemInfo.java:735)
       at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(tcOrderItemInfo.java:171)
       at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(tcUDProcess.java:234)
       at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
       at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)
       at com.thortech.xl.dataobj.tcORC.autoDOBSave(tcORC.java:2995)
       at com.thortech.xl.dataobj.util.tcOrderPackages.createOrder(tcOrderPackages.java:526)
       at com.thortech.xl.dataobj.util.tcOrderPackages.orderPackageForUser(tcOrderPackages.java:177)
       at com.thortech.xl.dataobj.tcOIU.provision(tcOIU.java:527)
       at com.thortech.xl.dataobj.tcOIU.eventPostInsert(tcOIU.java:303)
       at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
       at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)
       at com.thortech.xl.dataobj.tcUserProvisionObject.insertImplementation(tcUserProvisionObject.java:283)
       at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:591)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
       at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:104)
       at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:35)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at oracle.iam.platform.kernel.impl.EventHandlerDynamicProxy.invoke(EventHandlerDynamicProxy.java:30)
       at $Proxy250.execute(Unknown Source)
       at oracle.iam.platform.kernel.impl.OrchProcessData.runActionEvents(OrchProcessData.java:1035)
       at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:644)
       at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
       at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
       at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:716)
       at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
       at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
       at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
       at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy311.onMessage(Unknown Source)
       at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
       at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
       at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:379)
       at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
       at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
       at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
       at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
       at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
       at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
       at weblogic.jdbc.jta.DataSource.refreshXAConnAndEnlist(DataSource.java:1522)
       at weblogic.jdbc.jta.DataSource.getConnection(DataSource.java:446)
       at weblogic.jdbc.jta.DataSource.connect(DataSource.java:403)
       at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:364)
       at oracle.iam.platform.utils.vo.OIMDataSource.getConnection(OIMDataSource.java:57)
       at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:200)
       at com.thortech.xl.util.DirectDB.getConnection(DirectDB.java:148)
       at com.thortech.xl.dataaccess.tcDataBase.getConnection(tcDataBase.java:3198)
       at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(tcDataBase.java:705)
       at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(tcDataBase.java:271)
       at com.thortech.xl.dataobj.tcDataBase.readStatement(tcDataBase.java:221)
       at com.thortech.xl.dataobj.tcDataBase.getError(tcDataBase.java:700)
       at com.thortech.xl.dataobj.tcDataObj.handleError(tcDataObj.java:1197)
       at com.thortech.xl.dataobj.tcDataObj.handleError(tcDataObj.java:1140)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:487)
       at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(tcORC.java:844)
       at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(tcORC.java:1159)
       at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(tcOrderItemInfo.java:735)
       at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(tcOrderItemInfo.java:171)
       at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(tcUDProcess.java:234)
       at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
       at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)
       at com.thortech.xl.dataobj.tcORC.autoDOBSave(tcORC.java:2995)
       at com.thortech.xl.dataobj.util.tcOrderPackages.createOrder(tcOrderPackages.java:526)
       at com.thortech.xl.dataobj.util.tcOrderPackages.orderPackageForUser(tcOrderPackages.java:177)
       at com.thortech.xl.dataobj.tcOIU.provision(tcOIU.java:527)
       at com.thortech.xl.dataobj.tcOIU.eventPostInsert(tcOIU.java:303)
       at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
       at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2906)
       at com.thortech.xl.dataobj.tcUserProvisionObject.insertImplementation(tcUserProvisionObject.java:283)
       at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:591)
       at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
       at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:104)
       at oracle.iam.accesspolicy.impl.handlers.provisioning.ProvisionAccountActionHandler.execute(ProvisionAccountActionHandler.java:35)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at oracle.iam.platform.kernel.impl.EventHandlerDynamicProxy.invoke(EventHandlerDynamicProxy.java:30)
       at $Proxy250.execute(Unknown Source)
       at oracle.iam.platform.kernel.impl.OrchProcessData.runActionEvents(OrchProcessData.java:1035)
       at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:644)
       at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
       at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
       at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:716)
       at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
       at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
       at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
       at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy311.onMessage(Unknown Source)
       at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
       at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
       at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:379)
       at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
       at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
       at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
       at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
       at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
       at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  But when I try to provision this Resource through Access Policy, but without approving it works fine!!!
  Please, Help.
  Edited by: user13830503 on 19/7/2012 6:39

  2e0e6e14:1389f3fa30b:-8000-0000000000000003,0] [APP: oim#11.1.1.3.0] Class/Method: tcLookupOperationsBean/getLookupValuesFilteredData encounter some problems: The LookupCode 'Lookup.ESSOMFONumbers' does not exist.
  Make sure the lookup table exists and is spelled correctly in your process task.

• Access policy Issue

  Hi all,
  I am trying to add a EBS responsibility automatically when creating a new user in OIM.
  I created the rules, group and access policy needed. In the access policy I selected EBS responsibility as the resource to provision.
  To test the new access policy I created a new User in OIM. The status of the resource is in ready state.
  Any suggestions on why this is happening.
  Thanks,

  This is the error in the log file.
  ERROR,09 Aug 2010 22:33:32,832,[XELLERATE.APIS],Class/Method: tcFormInstanceOperationsBean/getObjectFormVersion encounter some problems: A version of form for object instance with key '50133' does not exist.
  ERROR,09 Aug 2010 22:33:32,849,[XELLERATE.APIS],Class/Method: tcFormInstanceOperationsBean/getObjectFormDataData encounter some problems: Error occurred while getting form data for object instance with key '50133'.
  ERROR,09 Aug 2010 22:33:32,849,[XELLERATE.APIS],Class/Method: tcFormInstanceOperationsBean/getObjectFormDataData encounter some problems: com.thortech.xl.dataaccess.tcDataSetException: Cannot convert 'EBSHF-APPS12' to a long: For input string: "EBSHF-APPS12"
  com.thortech.xl.dataaccess.tcDataSetException: com.thortech.xl.dataaccess.tcDataSetException: Cannot convert 'EBSHF-APPS12' to a long: For input string: "EBSHF-APPS12"
       at com.thortech.xl.dataaccess.tcDataSet.setString(Unknown Source)
       at com.thortech.xl.dataobj.tcDataSet.setString(Unknown Source)
       at com.thortech.xl.dataaccess.tcDataSet.setString(Unknown Source)
       at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.getObjectFormDataData(Unknown Source)
       at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.getObjectFormData(Unknown Source)
       at com.thortech.xl.ejb.beans.tcFormInstanceOperationsSession.getObjectFormData(Unknown Source)
       at com.thortech.xl.ejb.beans.tcFormInstanceOperations_2j82mm_EOImpl.getObjectFormData(tcFormInstanceOperations_2j82mm_EOImpl.java:1420)
       at Thor.API.Operations.tcFormInstanceOperationsClient.getObjectFormData(Unknown Source)
       at sun.reflect.GeneratedMethodAccessor366.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.security.Security.runAs(Security.java:41)
       at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
       at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
       at $Proxy67.getObjectFormData(Unknown Source)
       at com.thortech.xl.webclient.actions.UserDefinedFormAction.prepareObjectForm(Unknown Source)
       at sun.reflect.GeneratedMethodAccessor362.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
       at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
       at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
       at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
       at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
       at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  ERROR,09 Aug 2010 22:33:32,849,[XELLERATE.WEBAPP],Class/Method: UserDefinedFormAction/prepareObjectForm encounter some problems: Error occurred while getting form data for object instance with key '50133'.
  Thor.API.Exceptions.tcAPIException: Error occurred while getting form data for object instance with key '50133'.
       at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.getObjectFormDataData(Unknown Source)
       at com.thortech.xl.ejb.beansimpl.tcFormInstanceOperationsBean.getObjectFormData(Unknown Source)
       at com.thortech.xl.ejb.beans.tcFormInstanceOperationsSession.getObjectFormData(Unknown Source)
       at com.thortech.xl.ejb.beans.tcFormInstanceOperations_2j82mm_EOImpl.getObjectFormData(tcFormInstanceOperations_2j82mm_EOImpl.java:1420)
       at Thor.API.Operations.tcFormInstanceOperationsClient.getObjectFormData(Unknown Source)
       at sun.reflect.GeneratedMethodAccessor366.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.security.Security.runAs(Security.java:41)
       at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
       at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
       at $Proxy67.getObjectFormData(Unknown Source)
       at com.thortech.xl.webclient.actions.UserDefinedFormAction.prepareObjectForm(Unknown Source)
       at sun.reflect.GeneratedMethodAccessor362.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
       at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
       at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
       at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
       at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
       at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

• "Access not allowed for subject: principals=[]" Common Issue with no Repose

  Hi all,
  When upgrading from 8.1 to 8.1 SP4 (we have seen the issue as early as SP2), there is an exception thrown when trying to start the server where our application is deployed:
  <pre>weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[], on ResourceType: Application Action: write, Target: Deployed
  </pre>
  Our application creates an InitialContext using properties from a standard properties file, and when the "java.naming.security.principal" and "java.naming.security.credentials" properties are omitted, the server will start and deploy the application, but it naturally will not work.
  I have noticed that this issue has been brought up by several others:
  http://forums.bea.com/bea/search.jspa?q=%22Access+not+allowed+for+subject%3A+principals%3D%5B%5D%22&objID=&dateRange=all&userID=&numResults=15
  http://forums.bea.com/bea/thread.jspa?forumID=2058&threadID=200027601&messageID=200619947#200619947
  http://forums.bea.com/bea/thread.jspa?forumID=2051&threadID=200021662&messageID=200590642#200590642
  http://forums.bea.com/bea/message.jspa?messageID=200590569&tstart=0
  But have seen nothing resembling even a hint of a cause.
  Any suggestions that even get me going in the right direction would be appreciated.
  <pre>
  weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[], on ResourceType: Application Action: write, Target: Deployed
       at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.wlsRun(SecurityHelper.java:623)
       at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.run(SecurityHelper.java:510)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.management.internal.SecurityHelper.isAccessAllowed(SecurityHelper.java:398)
       at weblogic.management.internal.RemoteMBeanServerImpl.private_setAttribute(RemoteMBeanServerImpl.java:430)
       at weblogic.management.internal.RemoteMBeanServerImpl.setAttribute(RemoteMBeanServerImpl.java:387)
       at weblogic.management.internal.MBeanProxy.setAttribute(MBeanProxy.java:741)
       at weblogic.management.internal.MBeanProxy.invokeForCachingStub(MBeanProxy.java:475)
       at weblogic.management.configuration.ApplicationMBean_Stub.setDeployed(ApplicationMBean_Stub.java:408)
       at weblogic.management.mbeans.custom.ApplicationManager.setState(ApplicationManager.java:593)
       at weblogic.management.mbeans.custom.ApplicationManager.startConfigManager(ApplicationManager.java:740)
       at weblogic.management.mbeans.custom.ApplicationManager.start(ApplicationManager.java:501)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl.java:754)
       at weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:733)
       at weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBeanImpl.java:509)
       at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1560)
       at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1528)
       at weblogic.management.internal.RemoteMBeanServerImpl.private_invoke(RemoteMBeanServerImpl.java:988)
       at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:946)
       at weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:954)
       at weblogic.management.internal.MBeanProxy.invokeForCachingStub(MBeanProxy.java:481)
       at weblogic.management.configuration.ApplicationManagerMBean_Stub.start(ApplicationManagerMBean_Stub.java:677)
       at weblogic.management.Admin.startApplicationManager(Admin.java:2821)
       at weblogic.management.AdminServerAdmin.startApplicationManager(AdminServerAdmin.java:624)
       at weblogic.management.Admin.finish(Admin.java:2299)
       at weblogic.management.AdminServerAdmin.finish(AdminServerAdmin.java:458)
       at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:971)
       at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:361)
       at weblogic.Server.main(Server.java:32)
  </pre>

  For others who have received this error, I'll post what I think has turned out to be the cause.
  Refer to
  http://e-docs.bea.com/wls/docs81/jndi/jndi.html#471919
  Which says:
  =====
  When you create a JNDI Context with a username and password, you associate a user with a thread. When the Context is created, the user is pushed onto the context stack associated with the thread. Before starting a new Context on the thread, you must close the first Context so that the first user is no longer associated with the thread. Otherwise, users are pushed down in the stack each time a new context created. This is not an efficient use of resources and may result in the incorrect user being returned by ctx.lookup() calls.
  =====
  Our application caches the Context created, and that Context is used by other objects to perform lookups. Prior to Sp2, this caused no issues when including the username and password as part of the properties passed to the InitialContext constructor.
  I presume that closing the Context after it has been used would be the proper fix for this, but right now this Context is used in too many places once it is created. I was able to combat the issue by removing the username and password properties (java.naming.security.principal & java.naming.security.credentials) from the properties file. It seems to work as expected.