Disabled User doesn't get Authorized as it was in Policy Server 6
search cancel

Disabled User doesn't get Authorized as it was in Policy Server 6


Article ID: 8758


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



When running Policy Server, and for a specific URL, the Policy Server never authorizes the User as it should. Before, the former Policy Server version 6 was authorizing this access, and there wasn't any configuration change on this.




Policy Server 12.52SP1 on RedHat 6 64bit; (Policy Server was upgraded from 6.0SP5CR05)
AdminUI 12.52SP1 on RedHat 6 64bit;
Web Agent 5QMR7CR00 on Windows 2003SP2




The authorization fails because of the User not being found in the authorization mapping: The User is disabled.

The User is not authorized when requesting a GET on the protected resource.  

The Policy Server 12.52SP1 does not find it in one of the LDAP servers defined for that resource:


The former Policy Server 6.0SP5CR05 had a bug that was corrected in 6.0SP5CR25, to fix a known issue for a condition that was allowing access even if the User was disabled.

Now, the behavior has changed since Policy Server 6.0SP5CR35, and the user needs to be enabled in the Authorization User Store too. 

From smps-6_0_5_35-readme.txt :

   80437 The policy server directory mapping feature will no longer
         authorize a user when the authorization user directory has disabled
         the user but the authentication user directory has not disabled them.




  • Enable the User from the User Store, so the Authorization call works with the Authorization Mapping.