IT08749: ACCESS PERMISSIONS TO A COMMON DOMAIN SHOULD BE ADDITIVE FOR USERS IN MULTIPLE LDAP GROUPS
Fixes are available
Closed as fixed if next.
LDAP user belongs to multiple user groups and has different access permissions for the same domain. For example, the user belongs to the following groups with access permissions below: Group1: */default/*?Access=r Group2: */default/*?Access=rwadx Combining the access permission of the groups above, results in the user only having read access to the default domain instead of full access. This is because the stricter access takes precedence which can cause unexpected access with LDAP multiple group support in 7.0 and above.
Change the LDAP user group configuration such that one user cannot have different access for the same domain.
Affected are DataPower installations using RBM with multiple LDAP groups, some of which provide conflicting access policies for the same resource type. These conflicting access policies might not provide the desired permissions.
Fix is available in 188.8.131.52 and 184.108.40.206 For a list of the latest fix packs available, please see: http://www-01.ibm.com/support/docview.wss?uid=swg21237631
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Applicable component levels