search cancel

Error: Exception User might not have required permissions in ProxyUI

book

Article ID: 41809

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

When logging into the CA Access Gateway (SPS) ProxyUI an error message
is displayed stating

  "Error: Exception User might not have required permissions to get group information"

and the ProxyUI logs show the following error :

  "ERROR - com.ca.sps.adminui.xpsclient.XPSConnection - Unable to establish administration context.".

When navigating to the "Administration" Tab and click the "Group
Configuration" link and click on the "Add" button, the following error
is displayed :

  "Error: Unable to Add a Group".

 

Environment

 

CA Access Gateway (SPS) 12.8

 

Cause

 

If the User logging into the ProxyUI is authenticated\authorized from
a User Directory in the ProxyUI Domain that is not properly configured
against the same User Directory as the External Administratos Store in
SiteMinder, then the user is not considered to be a SiteMinder
Administrator and these error messages will be encountered. In order
to create a Group Configuration in the ProxyUI, the logged in user
must be a Single Sign-On/SiteMinder Administrator.

 

Resolution

 

To allow a SiteMinder Administrator to create Group Configurations
within the ProxyUI, a User Directory Connection must be created
against the same User Directory that was configured as the External
Administrator Store, and the connection information must match the
connection information entered in the External Administator Store
configuration. If the Server information for the External
Administrator Store was entered by "IP:PORT", then the Server
information for the User Directory Conection must also be defined by
"IP:PORT". If the Server information for the External Administrator
Store was entered by "FQDN:PORT", then the Server information for the
User Directory Conection must also be defined by "FQDN:PORT".

Further, if the Server information for the External Administrator
Store is configured with failover/load-balancing, then the Server
information for the User Directory Conection must also be defined with
failover/load-balancing. The User Directory connection information for
the User Directory in the ProxyUI Domain must "mirror" the connection
information defined for the External Administrator Store in order for
a User authenticated\Authorized from the User Directory to be
considered a SiteMinder Administrator and the ProxyUI to establish the
administration context.

If the External Administrative User Store was of type AD, ADLDS, or
ADAM, the User Directory configured to protect the ProxyUI should be
created in the LDAP namespace to allow the Authenticated User to be
identified as a SiteMinder Administrator.

 

Additional Information

 

Configure an External Administrator Store
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/administrators/configure-an-external-administrator-store.html

Protect the Administrative UI with SiteMinder
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/start-the-administrative-ui-and-manage-objects/protect-the-administrative-ui-with-siteminder.html