AdminUI returns error when creating Identity Mapping : Fatal: Failed to execute CreateIdentityMappingEvent. ERROR MESSAGE: SmApiWrappedException:Insufficient rights

Document ID:  TEC1343341
Last Modified Date:  06/15/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP1

Components

  • SITEMINDER WAM UI:SMAUI
Issue:

We are using an external User Store (AD) to protect AdminUI, and delegating granular permissions to different admin accounts. Some of them have enabled the Mapping Administration (View & Manage) rights, however when creating an Identity Mapping we are getting the following error in AdminUI:

Fatal: Failed to execute CreateIdentityMappingEvent. ERROR MESSAGE: SmApiWrappedException:Insufficient rights. (create, CA.SM::IdentityMapping@67c6fdeb-3130-1014-a25d-843bdc4e0000(my_id_mapping))

When we try to create it with a superuser account (explicitly defined), then we can create it with no errors.

How can we create Identity Mapping with a specific administrator to avoid that error ?

 

 

Environment:
Policy Server R12.52 SP1 CR05 AdminUI R12.52 SP1 CR05
Cause:

This error shows up because the SecCat.xdd file content (under <install path>\xps\dd\ folder) is missing the administration security classes for Identity Mapping.

Resolution:

To solve the issue, you have to upgrade the Policy Server 12.52 SP1 CR08, as the SecCat.xdd file has been updated to include the classes by default.

Or you can directly apply the following lines to your current Policy Server SecCat.xdd version :

- Stop Policy Server if running
- Take a backup of the SecCat.xdd file (under \xps\dd\ folder)
- Add the following entries to SecCat.xdd under section Name=Mapping Administration, of SecurityCategory, after Class=CA.SM::AuthAzMap Entry

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMapping
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMappingEntry
RightsMask=63

- The entry in SecCat.xdd before adding above entries looks like below:

[SecurityCategory]
Name=Mapping Administration
Description=Administration of Directory Mapping objects
#ScopingClass=
#ScopeRequired=
#CopyScope=
PossibleRights=VMP
CopiedRights=VM

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthAzMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthValidateMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::CertMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::UserDirectory
RightsMask=56

- After Adding above suggested entries the section looks like below:

[SecurityCategory]
Name=Mapping Administration
Description=Administration of Directory Mapping objects
#ScopingClass=
#ScopeRequired=
#CopyScope=
PossibleRights=VMP
CopiedRights=VM

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthAzMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMapping
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMappingEntry
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthValidateMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::CertMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::UserDirectory
RightsMask=56

- Save changes, and go to the /xps/dd folder on the PS installation path (where the SecCat.xdd file is located)
- Run XPSDDInstall Seccat.xdd to import the changes into the Policy Store.
- Restart Policy Server.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing