AdminUI returns error when creating Identity Mapping : Fatal: Failed to execute CreateIdentityMappingEvent. ERROR MESSAGE: SmApiWrappedException:Insufficient rights

book

Article ID: 7009

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We are using an external User Store (AD) to protect AdminUI, and delegating granular permissions to different admin accounts. Some of them have enabled the Mapping Administration (View & Manage) rights, however when creating an Identity Mapping we are getting the following error in AdminUI:

Fatal: Failed to execute CreateIdentityMappingEvent. ERROR MESSAGE: SmApiWrappedException:Insufficient rights. (create, CA.SM::[email protected](my_id_mapping))

When we try to create it with a superuser account (explicitly defined), then we can create it with no errors.

How can we create Identity Mapping with a specific administrator to avoid that error ?

 

 

Cause

This error shows up because the SecCat.xdd file content (under <install path>\xps\dd\ folder) is missing the administration security classes for Identity Mapping.

Environment

Policy Server R12.52 SP1 CR05AdminUI R12.52 SP1 CR05NOTE: This defect also affects Policy Server/Admin UI release 12.6 SP1.

Resolution

To solve the issue, you have to upgrade the Policy Server 12.52 SP1 CR08, as the SecCat.xdd file has been updated to include the classes by default or you can directly modify the SecCat.xdd as shown below.  If you are using 12.6 SP1, you can also apply the fix manually.

To make the changes manually, apply the following lines to your current Policy Server SecCat.xdd version :

- Stop Policy Server if running
- Take a backup of the SecCat.xdd file (under \xps\dd\ folder)
- Add the following entries to SecCat.xdd under section Name=Mapping Administration, of SecurityCategory, after Class=CA.SM::AuthAzMap Entry

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMapping
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMappingEntry
RightsMask=63

- The entry in SecCat.xdd before adding above entries looks like below:

[SecurityCategory]
Name=Mapping Administration
Description=Administration of Directory Mapping objects
#ScopingClass=
#ScopeRequired=
#CopyScope=
PossibleRights=VMP
CopiedRights=VM

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthAzMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthValidateMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::CertMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::UserDirectory
RightsMask=56

- After Adding above suggested entries the section looks like below:

[SecurityCategory]
Name=Mapping Administration
Description=Administration of Directory Mapping objects
#ScopingClass=
#ScopeRequired=
#CopyScope=
PossibleRights=VMP
CopiedRights=VM

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthAzMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMapping
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMappingEntry
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthValidateMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::CertMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::UserDirectory
RightsMask=56

- Save changes, and go to the /xps/dd folder on the PS installation path (where the SecCat.xdd file is located)
- Run XPSDDInstall Seccat.xdd to import the changes into the Policy Store.
- Restart Policy Server.