Troubleshoot: Access control problems
Access control problems are often indicated by generic application errors with error message keys such as _ERR_USER_AUTHORITY. The first step in problem determination is to enable tracing for the access control component.
- Turn on the access control trace component, WC_ACCESSCONTROL, in the WebSphere Application Server.
- Open the trace.log file.
- Start from the end of the file, perform a backward search for '=false' to find access control check that failed. For example:
WC_ACCESSCONT ... PolicyManagerImpl.isAllowed PASSED? =false
- To determine what was being checked, perform another backward search for the string isAllowed? . For example:
WC_ACCESSCONT ... PolicyManagerImpl.isAllowed isAllowed? User=100000000505; Action=Execute; Resource= com.ibm.commerce.usermanagement.commands.UserRegistrationAdminUpdateCmdImpl; Owner=7000000020002000000; Resource Ancestor Orgs=7000000020002000000,7000000020000000000,-2001; Resource Applicable Orgs=7000000020002000000
- Troubleshoot: Missing policy for a new view
A new view is missing an access control policy.
- Troubleshoot: Missing policy for new controller command
A controller command was added without an accompanying access control policy.
- Troubleshoot: Missing resource-level policy for a command
A controller command, that does resource level access control checking, was extended without adding the resource-level access control policy for the new command
- Troubleshoot: Policy group subscription
A policy that you expect to grant access appears in the trace, however it is not being applied.
- Troubleshoot: Member hierarchy of resource owner is invalid
An application error message indicates that the membership hierarchy of a resource owner is invalid.
- Troubleshoot: Unexpected access control error after subscribing a policy group to an organization
An access control error can occur, when trying to manage organization (or its descendants) for which you already have authority.