Fixes are available
APAR status
Closed as fixed if next.
Error description
LDAP user belongs to multiple user groups and has different access permissions for the same domain. For example, the user belongs to the following groups with access permissions below: Group1: */default/*?Access=r Group2: */default/*?Access=rwadx Combining the access permission of the groups above, results in the user only having read access to the default domain instead of full access. This is because the stricter access takes precedence which can cause unexpected access with LDAP multiple group support in 7.0 and above.
Local fix
Change the LDAP user group configuration such that one user cannot have different access for the same domain.
Problem summary
Affected are DataPower installations using RBM with multiple LDAP groups, some of which provide conflicting access policies for the same resource type. These conflicting access policies might not provide the desired permissions.
Problem conclusion
Fix is available in 7.5.0.4 and 7.5.1.3 For a list of the latest fix packs available, please see: http://www-01.ibm.com/support/docview.wss?uid=swg21237631
Temporary fix
Comments
APAR Information
APAR number
IT08749
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
700
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-05-06
Closed date
2015-05-27
Last modified date
2016-09-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
R700 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 February 2022