Troubleshoot: Access control problems

Access control problems are often indicated by generic application errors with error message keys such as _ERR_USER_AUTHORITY. The first step in problem determination is to enable tracing for the access control component.

1. Turn on the access control trace component, WC_ACCESSCONTROL, in the WAS.

2. Open the trace.log file.

3. Start from the end of the file, perform a backward search for '=false' to find access control check that failed. For example

   WC_ACCESSCONT ... PolicyManagerImpl.isAllowed 
   PASSED? =false
   

4. To determine what was being checked, perform another backward search for the string isAllowed? . For example

   WC_ACCESSCONT ... PolicyManagerImpl.isAllowed isAllowed?
   User=100000000505; Action=Execute; 
   Resource=
   com.ibm.commerce.usermanagement.commands.UserRegistrationAdminUpdateCmdImpl;
   
   Owner=7000000020002000000; 
   Resource Ancestor
   Orgs=7000000020002000000,7000000020000000000,-2001; 
   Resource Applicable Orgs=7000000020002000000
   

These topics describe how to resolve common access control problems:

• Missing policy for a new view

• Missing policy for a new controller command

• Missing policy when extending an existing controller command

• Policy group subscription

• Member hierarchy of resource

• Troubleshoot: Missing policy for a new view
  A new view is missing an access control policy.

• Troubleshoot: Missing policy for new controller command
  A controller command was added without an accompanying access control policy.

• Troubleshoot: Missing resource-level policy for a command
  A controller command, that does resource level access control checking, was extended without adding the resource-level access control policy for the new command

• Troubleshoot: Policy group subscription
  A policy that you expect to grant access appears in the trace, however it is not being applied.

• Troubleshoot: Member hierarchy of resource owner is invalid
  An application error message indicates that the membership hierarchy of a resource owner is invalid.

• Troubleshoot: Unexpected access control error after subscribing a policy group to an organization
  An access control error can occur, when trying to manage organization (or its descendants) for which you already have authority.