APAR status
Closed as program error.
Error description
When a user is trying to lower his own access rights, by moving himself into another application role, the following exception occurs in the logs and the user is in inconsistent state afterwards:<br/> <br/> [3/22/10 7:35:48:734 EDT] 00000078 CreateApplica E com.ibm.wps.command.ac.CreateApplicationRoleMappingCommand AbstractCommand.throwMissingAccessRightsException EJPSB0059E: User is not allowed to execute this task.<br/> com.ibm.wps.ac.NotAllowedException: EJPSB0091E: The principal with name cn=testuser,o=ibm and ObjectID [ExtIDImpl '9eAe3IJQJ0T811IMK0PACPJQJ498D8' [CN=TESTUSER,O=IBM / USER, Domain: [Domain: rel]]] is not allowed to do the operation Create ApplicationRoleMapping because he does not have the following permissions: (PermissionCollection)[[ObjectIDImpl '1C_U0M1TKG100VHF0IS1DHFVM20P4' [-505529005931177954:-7421740906 222328704@0 / APPLICATION_ROLE], Domain: [Domain: comm], DB representation: 0000-1ED8D0290C00FCF880E4A1C5F7AD0099]:NA:(Actio nSet)Join (-1 ) (/ActionSet)]shortcut:(PermissionCollection)[[Ex tIDImpl '1FeBeH9CULA16DAC8L5T8H1C03B1962CIK95642IC4BL9I1C03O0' [11_U0M1TKG100VHF0IS1DHFVM2000 / APPLICATION_ENTITY, Domain: [Domain: comm]]]:NA:(ActionSet)Grant_Access, (-1 ) (/ActionSet)](/PermissionCollection)shortcut:(PermissionCollecti on)[[ObjectIDImpl '0_000000000000G3RCDT7BG0S000' [0:1971448502380231@0 / VIRTUAL], Domain: [Domain: rel], DB representation: 0000-0000000000000000C766AD9F05010700]:NA:(Actio nSet)Grant_Access, (-1 ) (/ActionSet)](/PermissionCollection)sho rtcut:(PermissionCollection)[[ObjectIDImpl '0_000000000000G3VCDT7BG0S000' [0:1971448502380487@0 / VIRTUAL], Domain: [Domain: comm], DB representation: 0000-0000000000000000C767AD9F05010700]:Static:(ActionSet)Grant_A ccess, (-1 ) (/ActionSet)](/PermissionCollection)(/PermissionCol lection). at com.ibm.wps.ac.impl.AccessControlConfigImpl .checkPermissions(AccessControlConfigImpl.java:327)<br/> at com.ibm.wps.ac.impl.AccessControlConfigImpl .createApplicationRoleMapping(AccessControlConfigImpl .java:3494)<br/> at com.ibm.wps.ac.impl.AccessControlConfigFederator .createApplicationRoleMapping(AccessControlConfigFederator .java:1534)<br/> at com.ibm.wps.command.ac.CreateApplicationRoleMappingCommand .execute(CreateApplicationRoleMappingCommand.java:129)<br/> at com.ibm.wps.cai.sec.PacServiceProxy .addUserToApplicationRole(PacServiceProxy.java:599)<br/> at com.ibm.wps.cai.sec.PacAdapter .addUserToApplicationRole(PacAdapter.java:214)<br/> at com.ibm.wkplc.community.service.impl .MembershipCollectionImpl.updateMember(MembershipCollectionImpl .java:1880)<br/> at com.ibm.wkplc.community.service.impl .MembershipCollectionImpl.updateMembers(MembershipCollectionImpl .java:1786)<br/> at com.ibm.wkplc.community.service.ConcreteCommunityServiceBean .updateMembers(ConcreteCommunityServiceBean.java:1098)<br/> at com.ibm.wkplc.community.service.CommunityServiceBean .updateMembers(CommunityServiceBean.java:283)<br/> at com.ibm.workplace.community.service .EJSLocalStatelessCommunityService_d83e5289 .updateMembers(Unknown Source)<br/> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br/> at sun.reflect.NativeMethodAccessorImpl .invoke(NativeMethodAccessorImpl.java(Compiled Code))<br/> at sun.reflect.NativeMethodAccessorImpl .invoke(NativeMethodAccessorImpl.java(Compiled Code))<br/> at sun.reflect.DelegatingMethodAccessorImpl .invoke(DelegatingMethodAccessorImpl.java(Compiled Code))<br/> at java.lang.reflect.Method.invoke(Method.java(Compiled Code))<br/> at com.ibm.wkplc.delegate.workspace.proxy.EjbDelegateProxy .invokeImpl(EjbDelegateProxy.java:424)<br/> at com.ibm.wkplc.delegate.workspace.proxy.EjbDelegateProxy .invokeImpl(EjbDelegateProxy.java:402)<br/> at com.ibm.wkplc.delegate.workspace.proxy.BaseProxy .invoke(BaseProxy.java:141)<br/> at com.ibm.wkplc.delegate.workspace.module.DelegateModule .invoke(DelegateModule.java:323)<br/> at com.ibm.wkplc.delegate.workspace.proxy.DelegateProxy .invokeImpl(DelegateProxy.java:73)<br/> at com.ibm.wkplc.delegate.workspace.proxy.BaseProxy .invoke(BaseProxy.java:141)<br/> at $Proxy65.updateMembers(Unknown Source)<br/> at com.ibm.wps.dm.exporter.AddUsersToRole.export(AddUsersToRole .java:232)<br/> at com.ibm.wps.dm.servlet.XmlDataServlet.doGet(XmlDataServlet .java:174)<br/> at com.ibm.wps.dm.servlet.XmlDataServlet.doPost(XmlDataServlet .java:215)<br/>
Local fix
n/a
Problem summary
When a user is trying to lower his own access rights, by moving himself into another application role, the following exception occurs in the logs and the user is in inconsistent state afterwards: [3/22/10 7:35:48:734 EDT] 00000078 CreateApplica E com.ibm.wps.command.ac.CreateApplicationRoleMappingCommand AbstractCommand.throwMissingAccessRightsException EJPSB0059E: User is not allowed to execute this task. com.ibm.wps.ac.NotAllowedException: EJPSB0091E: The principal with name cn=testuser,o=ibm and ObjectID [ExtIDImpl '9eAe3IJQJ0T811IMK0PACPJQJ498D8' [CN=TESTUSER,O=IBM / USER, Domain: [Domain: rel]]] is not allowed to do the operation Create ApplicationRoleMapping because he does not have the following permissions: (PermissionCollection)[[ObjectIDImpl '1C_U0M1TKG100VHF0IS1DHFVM20P4' [-505529005931177954:-7421740906222328704@0 / APPLICATION_ROLE], Domain: [Domain: comm], DB representation: 0000-1ED8D0290C00FCF880E4A1C5F7AD0099]:NA:(ActionSet)Join (-1 ) (/ActionSet)]shortcut:(PermissionCollection)[[ExtIDImpl '1FeBeH9CULA16DAC8L5T8H1C03B1962CIK95642IC4BL9I1C03O0' [11_U0M1TKG100VHF0IS1DHFVM2000 / APPLICATION_ENTITY, Domain: [Domain: comm]]]:NA:(ActionSet)Grant_Access, (-1 ) (/ActionSet)](/PermissionCollection)shortcut:(PermissionCollecti on)[[ObjectIDImpl '0_000000000000G3RCDT7BG0S000' [0:1971448502380231@0 / VIRTUAL], Domain: [Domain: rel], DB representation: 0000-0000000000000000C766AD9F05010700]:NA:(ActionSet)Grant_Acces s, (-1 ) (/ActionSet)](/PermissionCollection)shortcut:(PermissionCollecti on)[[ObjectIDImpl '0_000000000000G3VCDT7BG0S000' [0:1971448502380487@0 / VIRTUAL], Domain: [Domain: comm], DB representation: 0000-0000000000000000C767AD9F05010700]:Static:(ActionSet)Grant_A ccess, (-1 ) (/ActionSet)](/PermissionCollection)(/PermissionCollection). at com.ibm.wps.ac.impl.AccessControlConfigImpl.checkPermissions(Acc essControlConfigImpl.java:327) at com.ibm.wps.ac.impl.AccessControlConfigImpl.createApplicationRol eMapping(AccessControlConfigImpl.java:3494) at com.ibm.wps.ac.impl.AccessControlConfigFederator.createApplicati onRoleMapping(AccessControlConfigFederator.java:1534) at com.ibm.wps.command.ac.CreateApplicationRoleMappingCommand.execu te(CreateApplicationRoleMappingCommand.java:129) at com.ibm.wps.cai.sec.PacServiceProxy.addUserToApplicationRole(Pac ServiceProxy.java:599) at com.ibm.wps.cai.sec.PacAdapter.addUserToApplicationRole(PacAdapt er.java:214) at com.ibm.wkplc.community.service.impl.MembershipCollectionImpl.up dateMember(MembershipCollectionImpl.java:1880) at com.ibm.wkplc.community.service.impl.MembershipCollectionImpl.up dateMembers(MembershipCollectionImpl.java:1786) at com.ibm.wkplc.community.service.ConcreteCommunityServiceBean.upd ateMembers(ConcreteCommunityServiceBean.java:1098) at com.ibm.wkplc.community.service.CommunityServiceBean.updateMembe rs(CommunityServiceBean.java:283) at com.ibm.workplace.community.service.EJSLocalStatelessCommunitySe rvice_d83e5289.updateMembers(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java(Compiled Code)) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java(Compiled Code)) at java.lang.reflect.Method.invoke(Method.java(Compiled Code)) at com.ibm.wkplc.delegate.workspace.proxy.EjbDelegateProxy.invokeIm pl(EjbDelegateProxy.java:424) at com.ibm.wkplc.delegate.workspace.proxy.EjbDelegateProxy.invokeIm pl(EjbDelegateProxy.java:402) at com.ibm.wkplc.delegate.workspace.proxy.BaseProxy.invoke(BaseProx y.java:141) at com.ibm.wkplc.delegate.workspace.module.DelegateModule.invoke(De legateModule.java:323) at com.ibm.wkplc.delegate.workspace.proxy.DelegateProxy.invokeImpl( DelegateProxy.java:73) at com.ibm.wkplc.delegate.workspace.proxy.BaseProxy.invoke(BaseProx y.java:141) at $Proxy65.updateMembers(Unknown Source) at com.ibm.wps.dm.exporter.AddUsersToRole.export(AddUsersToRole.jav a:232) at com.ibm.wps.dm.servlet.XmlDataServlet.doGet(XmlDataServlet.java: 174) at com.ibm.wps.dm.servlet.XmlDataServlet.doPost(XmlDataServlet.java :215)
Problem conclusion
Manager is not allowed to modify his own role. Manual Steps: Manual steps required during installation and uninstallation - see details in steps below. Failing Module(s): Composite Applications Affected Users: Administrative users Version Information: Portal Version(s): 6.0.1.1 Pre-Requisite(s): PK69832 Co-Requisite(s): --- Platform Specific: This fix applies to all platforms. Installation: NOTE: YOU MUST FIRST DOWNLOAD THE UPDATE INSTALLER TOOL IN ORDER TO INSTALL A FIX. The Portal Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=688&uid=swg24006942 Reminder: The version of PUI used varies based on the version of WebSphere Portal. Ensure the correct version is in use. 1. Create temporary "fix" directory to store the jar file. 2. Copy jar file to this directory. 3. Shutdown WebSphere Portal. 4. Follow the fix installation instructions that are packaged with the Portal Update Installer on how to install the fix. 5. Run configuration task <WPS_HOME>/config/WPSconfig.[bat|sh] config-pm10246 6. Restart WebSphere Portal. 7. The temporary directory may be removed. Un-Installation: NOTE: FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. YOU MAY REAPPLY ANY REMOVED FIX. 1. Shutdown WebSphere Portal. 2. Follow the instructions that are packaged with the Portal Update Installer on how to uninstall the fix. 3. Restart WebSphere Portal. A fix is available from Fix Central: http://www.ibm.com/eserver/support/fixes/fixcentral/swgquickorde r?apar=PM11708&productid=WebSphere%20Portal&brandid=5 You may need to type or paste the complete address into your Web browser.
Temporary fix
Comments
APAR Information
APAR number
PM11708
Reported component name
WEBSPHERE PORTA
Reported component ID
5724E7600
Reported release
60E
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-04-08
Closed date
2010-05-26
Last modified date
2010-05-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE PORTA
Fixed component ID
5724E7600
Applicable component levels
R60E PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHRKX","label":"WebSphere Portal"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.1.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
26 May 2010