Permission Denied - cmdctrl request denied

  • 7018222
  • 01-Nov-2016
  • 01-Nov-2016

Environment

NetIQ Privileged Account Manager

Situation

How to troubleshoot cmdctrl request denied / permission denied errors
User is unable to access the desired endpoint and may receive Permission Denied
The unifid.log on the server processing the cmdctrl request will report something similar to:
Info, cmdctrl request denied for '<ssh>' from <accountDomain>\<submitUser>@<submitHost>
Note: <accountDomain>, <submitUser> and <submitHost> will be replaced with relevant request information.

Resolution

Permission Denied and request denied errors occur when cmdctrl determines the submitted request is unauthorized based on the chain of rules matched against the request. It can be sometimes difficult to understand exactly why a particular configuration is denied; however, the unifid.log will reveal detailed information about the request and the cmdctrl rules that have been matched for processing, which generally provides enough contextual clues to determine the root cause of a denied request from cmdctrl. The following details an example issue with an approach to determining the cause.

On the Manager server (or corresponding server responsible with the cmdctrl module), something similar to the following example may be displayed:
Info, cmdctrl request denied for '<ssh>' from ACCOUNTDOMAIN\user@workstation.domain.com
Note: The details of this log statement and those that follow will depend on the environment and request.

Prior to this statement in the logs, more information will be provided regarding the request and the rules that are matched for processing, search above for a block similar to the following:
Debug, Db cmdctrl.db - executing statement: SELECT id, submituser, runAs, Credential, runHost, target, videoCapture, req_type, exp_time from Requests where submituser=:suser AND status=:EmergAcc AND exp_time >:expired_requests_time AND runHost=:runHost AND runAs=:runAs
Debug, Db cmdctrl.db - spf_db_t parameter count: 5
Debug, Db cmdctrl.db - Binding parameter 0(suser) suser = ACCOUNTDOMAIN\user
Debug, Db cmdctrl.db - Binding parameter 1(EmergAcc) EmergAcc = 2
Debug, Db cmdctrl.db - Binding parameter 2(expired_requests_time) expired_requests_time = 1478010724
Debug, Db cmdctrl.db - Binding parameter 3(runHost) runHost = server.domain.com
Debug, Db cmdctrl.db - Binding parameter 4(runAs) runAs = root
Debug, checkauth: log <History><a.Rule name="Block Access" I.type="0" b.disabled="1" I.key="7432"/><a.Rule submitHost="workstation.domain.com" submitUser="ACCOUNTDOMAIN\\user" runHost="server.domain.com" runUser="root" stop="Next" i.video_index="1" i.video_fps="10" b.VideoCapture="0" b.capture="0" b.authorized="0" b.secauthrequired="0" b.matched="1" name="UNIX / Linux" type="Rule" b.disabled="0" I.key="7442"/><a.Rule submitHost="workstation.domain.com" submitUser="ACCOUNTDOMAIN\\user" runHost="server.domain.com" runUser="root" stop="Next" i.video_index="1" i.video_fps="10" b.VideoCapture="0" b.capture="0" b.authorized="0" b.secauthrequired="0" b.matched="1" name="SSH-Relay" type="Rule" b.disabled="0" I.key="7387"/><a.Rule submitHost="workstation.domain.com" submitUser="ACCOUNTDOMAIN\\user" runHost="server.domain.com" runUser="root" stop="Stop" i.video_index="1" i.video_fps="10" b.VideoCapture="0" b.capture="0" b.authorized="0" b.secauthrequired="0" b.matched="1" name="Deny" type="Rule" b.disabled="0" I.key="7389"/></History>

Note: The information above details the binding parameters associated with the request and then lists the matching rules used for processing. A rule in this list or lack thereof could be a potential cause for the denied request.

A nice traceback of processed cmdctrl rules can be displayed after parsing out and perhaps beautifying the xml of the <History> section:
<History>
    <a.Rule name="Block Access" I.type="0" b.disabled="1" I.key="7432" />
    <a.Rule submitHost="tharris1.lab.novell.com" submitUser="THARRIS2012\\blockedUser" runHost="tharris7.lab.novell.com" runUser="root" stop="Next" i.video_index="1" i.video_fps="10" b.VideoCapture="0" b.capture="0" b.authorized="0" b.secauthrequired="0" b.matched="1" name="UNIX / Linux" type="Rule" b.disabled="0" I.key="7442" />
    <a.Rule submitHost="tharris1.lab.novell.com" submitUser="THARRIS2012\\blockedUser" runHost="tharris7.lab.novell.com" runUser="root" stop="Next" i.video_index="1" i.video_fps="10" b.VideoCapture="0" b.capture="0" b.authorized="0" b.secauthrequired="0" b.matched="1" name="SSH-Relay" type="Rule" b.disabled="0" I.key="7387" />
    <a.Rule submitHost="tharris1.lab.novell.com" submitUser="THARRIS2012\\blockedUser" runHost="tharris7.lab.novell.com" runUser="root" stop="Stop" i.video_index="1" i.video_fps="10" b.VideoCapture="0" b.capture="0" b.authorized="0" b.secauthrequired="0" b.matched="1" name="Deny" type="Rule" b.disabled="0" I.key="7389" />
</History>

Note: In this example, it is likely that ACCOUNTDOMAIN\user@workstation.domain.com was denied '<ssh>' access by cmdctrl because of the "Deny" rule. Of note, this particular rule was the last to be processed in this chain because "Authorize" was set to "No" and to "Stop if unauthorized." Upon further investigation, it became clear that this Deny rule had a condition to block users belonging to a particular external ldap group.

Cause

cmdctrl denies the submitted request due to the matching rules in the Command Control Console.