IBM Support

PM11708: USER LOWERING HER OWN ACCESS TO PLACE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When a user is trying to lower his own access rights, by moving
    himself into another application role, the following exception
    occurs in the logs and the user is in inconsistent state
    afterwards:<br/>
    <br/>
    [3/22/10 7:35:48:734 EDT] 00000078 CreateApplica E
    com.ibm.wps.command.ac.CreateApplicationRoleMappingCommand
    AbstractCommand.throwMissingAccessRightsException EJPSB0059E:
    User is not allowed to execute this task.<br/>
    
    com.ibm.wps.ac.NotAllowedException: EJPSB0091E: The principal
    with name cn=testuser,o=ibm and ObjectID [ExtIDImpl
    '9eAe3IJQJ0T811IMK0PACPJQJ498D8' [CN=TESTUSER,O=IBM / USER,
    Domain: [Domain: rel]]] is not allowed to do the operation
    Create ApplicationRoleMapping because he does not have the
    following permissions: (PermissionCollection)[[ObjectIDImpl
    '1C_U0M1TKG100VHF0IS1DHFVM20P4' [-505529005931177954:-7421740906
    222328704@0 / APPLICATION_ROLE], Domain: [Domain: comm], DB
    representation: 0000-1ED8D0290C00FCF880E4A1C5F7AD0099]:NA:(Actio
    nSet)Join (-1 ) (/ActionSet)]shortcut:(PermissionCollection)[[Ex
    tIDImpl '1FeBeH9CULA16DAC8L5T8H1C03B1962CIK95642IC4BL9I1C03O0'
    [11_U0M1TKG100VHF0IS1DHFVM2000 / APPLICATION_ENTITY, Domain:
    [Domain: comm]]]:NA:(ActionSet)Grant_Access, (-1 )
    (/ActionSet)](/PermissionCollection)shortcut:(PermissionCollecti
    on)[[ObjectIDImpl '0_000000000000G3RCDT7BG0S000'
    [0:1971448502380231@0 / VIRTUAL], Domain: [Domain: rel], DB
    representation: 0000-0000000000000000C766AD9F05010700]:NA:(Actio
    nSet)Grant_Access, (-1 ) (/ActionSet)](/PermissionCollection)sho
    rtcut:(PermissionCollection)[[ObjectIDImpl
    '0_000000000000G3VCDT7BG0S000' [0:1971448502380487@0 / VIRTUAL],
    Domain: [Domain: comm], DB representation:
    0000-0000000000000000C767AD9F05010700]:Static:(ActionSet)Grant_A
    ccess, (-1 ) (/ActionSet)](/PermissionCollection)(/PermissionCol
    lection).
     at com.ibm.wps.ac.impl.AccessControlConfigImpl
    .checkPermissions(AccessControlConfigImpl.java:327)<br/>
     at com.ibm.wps.ac.impl.AccessControlConfigImpl
    .createApplicationRoleMapping(AccessControlConfigImpl
    .java:3494)<br/>
     at com.ibm.wps.ac.impl.AccessControlConfigFederator
    .createApplicationRoleMapping(AccessControlConfigFederator
    .java:1534)<br/>
     at com.ibm.wps.command.ac.CreateApplicationRoleMappingCommand
    .execute(CreateApplicationRoleMappingCommand.java:129)<br/>
     at com.ibm.wps.cai.sec.PacServiceProxy
    .addUserToApplicationRole(PacServiceProxy.java:599)<br/>
     at com.ibm.wps.cai.sec.PacAdapter
    .addUserToApplicationRole(PacAdapter.java:214)<br/>
     at com.ibm.wkplc.community.service.impl
    .MembershipCollectionImpl.updateMember(MembershipCollectionImpl
    .java:1880)<br/>
     at com.ibm.wkplc.community.service.impl
    .MembershipCollectionImpl.updateMembers(MembershipCollectionImpl
    .java:1786)<br/>
     at com.ibm.wkplc.community.service.ConcreteCommunityServiceBean
    .updateMembers(ConcreteCommunityServiceBean.java:1098)<br/>
     at com.ibm.wkplc.community.service.CommunityServiceBean
    .updateMembers(CommunityServiceBean.java:283)<br/>
     at com.ibm.workplace.community.service
    .EJSLocalStatelessCommunityService_d83e5289
    .updateMembers(Unknown Source)<br/>
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
    Method)<br/>
     at sun.reflect.NativeMethodAccessorImpl
    .invoke(NativeMethodAccessorImpl.java(Compiled Code))<br/>
     at sun.reflect.NativeMethodAccessorImpl
    .invoke(NativeMethodAccessorImpl.java(Compiled Code))<br/>
     at sun.reflect.DelegatingMethodAccessorImpl
    .invoke(DelegatingMethodAccessorImpl.java(Compiled Code))<br/>
     at java.lang.reflect.Method.invoke(Method.java(Compiled
    Code))<br/>
     at com.ibm.wkplc.delegate.workspace.proxy.EjbDelegateProxy
    .invokeImpl(EjbDelegateProxy.java:424)<br/>
     at com.ibm.wkplc.delegate.workspace.proxy.EjbDelegateProxy
    .invokeImpl(EjbDelegateProxy.java:402)<br/>
     at com.ibm.wkplc.delegate.workspace.proxy.BaseProxy
    .invoke(BaseProxy.java:141)<br/>
     at com.ibm.wkplc.delegate.workspace.module.DelegateModule
    .invoke(DelegateModule.java:323)<br/>
     at com.ibm.wkplc.delegate.workspace.proxy.DelegateProxy
    .invokeImpl(DelegateProxy.java:73)<br/>
     at com.ibm.wkplc.delegate.workspace.proxy.BaseProxy
    .invoke(BaseProxy.java:141)<br/>
     at $Proxy65.updateMembers(Unknown Source)<br/>
     at com.ibm.wps.dm.exporter.AddUsersToRole.export(AddUsersToRole
    .java:232)<br/>
     at com.ibm.wps.dm.servlet.XmlDataServlet.doGet(XmlDataServlet
    .java:174)<br/>
     at com.ibm.wps.dm.servlet.XmlDataServlet.doPost(XmlDataServlet
    .java:215)<br/>
    

Local fix

  • n/a
    

Problem summary

  • When a user is trying to lower his own access rights, by moving
    himself into another application role, the following exception
    occurs in the logs and the user is in inconsistent state
    afterwards:
    
    [3/22/10 7:35:48:734 EDT] 00000078 CreateApplica E
    com.ibm.wps.command.ac.CreateApplicationRoleMappingCommand
    AbstractCommand.throwMissingAccessRightsException EJPSB0059E:
    User is not allowed to execute this task.
    
    com.ibm.wps.ac.NotAllowedException: EJPSB0091E: The principal
    with name cn=testuser,o=ibm and ObjectID [ExtIDImpl
    '9eAe3IJQJ0T811IMK0PACPJQJ498D8' [CN=TESTUSER,O=IBM / USER,
    Domain: [Domain: rel]]] is not allowed to do the operation
    Create ApplicationRoleMapping because he does not have the
    following permissions: (PermissionCollection)[[ObjectIDImpl
    '1C_U0M1TKG100VHF0IS1DHFVM20P4'
    [-505529005931177954:-7421740906222328704@0 / APPLICATION_ROLE],
    Domain: [Domain: comm], DB representation:
    0000-1ED8D0290C00FCF880E4A1C5F7AD0099]:NA:(ActionSet)Join (-1 )
    (/ActionSet)]shortcut:(PermissionCollection)[[ExtIDImpl
    '1FeBeH9CULA16DAC8L5T8H1C03B1962CIK95642IC4BL9I1C03O0'
    [11_U0M1TKG100VHF0IS1DHFVM2000 / APPLICATION_ENTITY, Domain:
    [Domain: comm]]]:NA:(ActionSet)Grant_Access, (-1 )
    (/ActionSet)](/PermissionCollection)shortcut:(PermissionCollecti
    on)[[ObjectIDImpl '0_000000000000G3RCDT7BG0S000'
    [0:1971448502380231@0 / VIRTUAL], Domain: [Domain: rel], DB
    representation:
    0000-0000000000000000C766AD9F05010700]:NA:(ActionSet)Grant_Acces
    s, (-1 )
    (/ActionSet)](/PermissionCollection)shortcut:(PermissionCollecti
    on)[[ObjectIDImpl '0_000000000000G3VCDT7BG0S000'
    [0:1971448502380487@0 / VIRTUAL], Domain: [Domain: comm], DB
    representation:
    0000-0000000000000000C767AD9F05010700]:Static:(ActionSet)Grant_A
    ccess, (-1 )
    (/ActionSet)](/PermissionCollection)(/PermissionCollection).
        at
    com.ibm.wps.ac.impl.AccessControlConfigImpl.checkPermissions(Acc
    essControlConfigImpl.java:327)
        at
    com.ibm.wps.ac.impl.AccessControlConfigImpl.createApplicationRol
    eMapping(AccessControlConfigImpl.java:3494)
        at
    com.ibm.wps.ac.impl.AccessControlConfigFederator.createApplicati
    onRoleMapping(AccessControlConfigFederator.java:1534)
        at
    com.ibm.wps.command.ac.CreateApplicationRoleMappingCommand.execu
    te(CreateApplicationRoleMappingCommand.java:129)
        at
    com.ibm.wps.cai.sec.PacServiceProxy.addUserToApplicationRole(Pac
    ServiceProxy.java:599)
        at
    com.ibm.wps.cai.sec.PacAdapter.addUserToApplicationRole(PacAdapt
    er.java:214)
        at
    com.ibm.wkplc.community.service.impl.MembershipCollectionImpl.up
    dateMember(MembershipCollectionImpl.java:1880)
        at
    com.ibm.wkplc.community.service.impl.MembershipCollectionImpl.up
    dateMembers(MembershipCollectionImpl.java:1786)
        at
    com.ibm.wkplc.community.service.ConcreteCommunityServiceBean.upd
    ateMembers(ConcreteCommunityServiceBean.java:1098)
        at
    com.ibm.wkplc.community.service.CommunityServiceBean.updateMembe
    rs(CommunityServiceBean.java:283)
        at
    com.ibm.workplace.community.service.EJSLocalStatelessCommunitySe
    rvice_d83e5289.updateMembers(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
    Method)
        at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java(Compiled Code))
        at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java(Compiled Code))
        at java.lang.reflect.Method.invoke(Method.java(Compiled
    Code))
        at
    com.ibm.wkplc.delegate.workspace.proxy.EjbDelegateProxy.invokeIm
    pl(EjbDelegateProxy.java:424)
        at
    com.ibm.wkplc.delegate.workspace.proxy.EjbDelegateProxy.invokeIm
    pl(EjbDelegateProxy.java:402)
        at
    com.ibm.wkplc.delegate.workspace.proxy.BaseProxy.invoke(BaseProx
    y.java:141)
        at
    com.ibm.wkplc.delegate.workspace.module.DelegateModule.invoke(De
    legateModule.java:323)
        at
    com.ibm.wkplc.delegate.workspace.proxy.DelegateProxy.invokeImpl(
    DelegateProxy.java:73)
        at
    com.ibm.wkplc.delegate.workspace.proxy.BaseProxy.invoke(BaseProx
    y.java:141)
        at $Proxy65.updateMembers(Unknown Source)
        at
    com.ibm.wps.dm.exporter.AddUsersToRole.export(AddUsersToRole.jav
    a:232)
        at
    com.ibm.wps.dm.servlet.XmlDataServlet.doGet(XmlDataServlet.java:
    174)
        at
    com.ibm.wps.dm.servlet.XmlDataServlet.doPost(XmlDataServlet.java
    :215)
    

Problem conclusion

  • Manager is not allowed to modify his own role.
    
    Manual Steps:
    Manual steps required during installation and uninstallation
    - see details in steps below.
    
    Failing Module(s):
       Composite Applications
    
    Affected Users:
       Administrative users
    
    Version Information:
        Portal Version(s): 6.0.1.1
         Pre-Requisite(s): PK69832
          Co-Requisite(s): ---
    
    Platform Specific:
       This fix applies to all platforms.
    
    Installation:
    
    NOTE:
    YOU MUST FIRST DOWNLOAD THE UPDATE INSTALLER TOOL IN ORDER TO
    INSTALL A FIX.
    The Portal Update Installer can be downloaded from the following
    link:
    http://www.ibm.com/support/docview.wss?rs=688&uid=swg24006942
    
    Reminder:
    The version of PUI used varies based on the version of WebSphere
    Portal.
    Ensure the correct version is in use.
    
    1. Create temporary "fix" directory to store the jar file.
    2. Copy jar file to this directory.
    3. Shutdown WebSphere Portal.
    4. Follow the fix installation instructions that are packaged
    with the Portal Update Installer on how to install the fix.
    5. Run configuration task
       <WPS_HOME>/config/WPSconfig.[bat|sh] config-pm10246
    6. Restart WebSphere Portal.
    7. The temporary directory may be removed.
    
    Un-Installation:
    
    NOTE:
    FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. DO NOT
    REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN
    REMOVED.
    YOU MAY REAPPLY ANY REMOVED FIX.
    
    1. Shutdown WebSphere Portal.
    2. Follow the instructions that are packaged with the Portal
    Update Installer on how to uninstall the fix.
    3. Restart WebSphere Portal.
    
    A fix is available from Fix Central:
    
    http://www.ibm.com/eserver/support/fixes/fixcentral/swgquickorde
    r?apar=PM11708&productid=WebSphere%20Portal&brandid=5
    
    You may need to type or paste the complete address into your Web
    browser.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM11708

  • Reported component name

    WEBSPHERE PORTA

  • Reported component ID

    5724E7600

  • Reported release

    60E

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-04-08

  • Closed date

    2010-05-26

  • Last modified date

    2010-05-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE PORTA

  • Fixed component ID

    5724E7600

Applicable component levels

  • R60E PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHRKX","label":"WebSphere Portal"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.1.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
26 May 2010