Correct Integrity Errors [sm-xobsm-01400] of Policy Store
search cancel

Correct Integrity Errors [sm-xobsm-01400] of Policy Store

book

Article ID: 381243

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

The document (https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/upgrading/correct-integrity-errors-of-policy-store.html) says,

"[sm-xobsm-01400] Using a Role active expression, but the corresponding Role object does not exist
This error indicates that the Policy is configured with a Role that cannot be resolved. 
This integrity error has no runtime security impact. 
A policy object is created when a role object is used against a resource object. 
When there is no role object, the presence of policy object is not valid.
Therefore, creating a dummy role that does not provide access to the protected resource resolves this issue.
This integrity error can be repaired automatically. 
Applying the changeset file corrects this issue by creating a dummy role for the Policy.

Action required after the automatic repair is applied: 
Use the Administrative UI to select users for the auto-generated role and change the default auto-generated role name and description."

What are the detail steps to fix the none-existing role issue?

Resolution

Check the changeset file to find out what application(s) has the issue, assume that there are application1 and application2 refering none-exist roles.

  1. After run the "XPSSweeper -a" to generate the changeset file, run "XPSImport -changeset <changeset filename>" to import the dummy role, the dummy role's name should begin with "autogen_role".
  2. login adminUI, navigate to "Policies" > "Application" > "Applications"
  3. modify the application1 
  4. click the "policies" tab, find the "autogen_role..." and the associated resources.
  5. mark down the associated resource name, create a new role for this resource with proper users on "Roles" tab.
  6. go back to  "policies" tab, unlink the resource from "autogen_role...", link it to the new role.
  7. delete the dummy role starts with  "autogen_role..."
  8. repeat step 2 to 7 for the application2

PS: for the imported dummy role, users cannot be changed/selected, so a new role is needed.   

 

Additional Information

Powered by Wolken Software