IBM Support

IT08749: ACCESS PERMISSIONS TO A COMMON DOMAIN SHOULD BE ADDITIVE FOR USERS IN MULTIPLE LDAP GROUPS

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as fixed if next.

Error description

  • LDAP user belongs to multiple user groups and has different
    access permissions for the same domain.  For example, the user
    belongs to the following groups with access permissions below:
    
    Group1:  */default/*?Access=r
    Group2:  */default/*?Access=rwadx
    
    Combining the access permission of the groups above, results in
    the user only having read access to the default domain instead
    of full access.  This is because the stricter access takes
    precedence which can cause unexpected access with LDAP multiple
    group support in 7.0 and above.
    

Local fix

  • Change the LDAP user group configuration such that one user
    cannot have different access for the same domain.
    

Problem summary

  • Affected are DataPower installations using RBM with multiple
    LDAP groups, some of which provide conflicting access policies
    for the same resource type.
    
    These conflicting access policies
    might not provide the desired permissions.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IT08749

  • Reported component name

    DATAPOWER

  • Reported component ID

    DP1234567

  • Reported release

    700

  • Status

    CLOSED FIN

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-05-06

  • Closed date

    2015-05-27

  • Last modified date

    2016-09-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

  • R700 PSY

       UP



Document information

More support for: IBM DataPower Gateways
General

Software version: 7.0.0

Reference #: IT08749

Modified date: 27 September 2016