Cannot view Access Manager 4.3 iManager dashboard when logging in with user inside ou=delegatedusers,o=novell container

  • Document ID:7018232
  • Creation Date:03-Nov-2016
  • Modified Date:03-Nov-2016
    • Micro Focus Products:
      Access Manager (NAM)

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2

Situation

A multi-environment NAM 4.1 setup existed with 'delegated administration' enabled. The administrator had created a user object in novell\delegatedusers for each delegated admin. All these users could login and access all parts of the setup they were entitled to, although most delegated administrators had full rights to administer all components.

This has worked well for a long time, but has fallen over with the upgrade to 4.3. Delegated admins are now greeted with an error "Dashboard not available for the user".

Looking at the Administration Console log files (catalina.out) shows the following entries added when the delegated admin user logs in:

Nov 01, 2016 10:18:57 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [RESTServices] in context with path [/adminui] threw exception [java.lang.RuntimeException: com.microfocus.amsvc.v1.sdk.client.ApiException: {"response":{"code":"FORBIDDEN","detail":"Forbidden. User does not have rights"}}] with root cause

com.microfocus.amsvc.v1.sdk.client.ApiException: {"response":{"code":"FORBIDDEN","detail":"Forbidden. User does not have rights"}}

        at com.microfocus.amsvc.v1.sdk.client.ApiClient.invokeAPI(ApiClient.java:446)
        at com.microfocus.amsvc.v1.sdk.api.PoliciesApi.getPolicyContainers(PoliciesApi.java:92)
        at com.microfocus.am.server.services.HomeService.getPolicyList(HomeService.java:209)
        at com.microfocus.am.server.services.HomeService.getPolicyList(HomeService.java:188)
        at sun.reflect.GeneratedMethodAccessor579.invoke(Unknown Source)
:

Nov 01, 2016 10:19:13 AM com.microfocus.amapi.v1.resources.BasicServiceAPI checkUserInRole
INFO: Forbidden. User does not have rights
Nov 01, 2016 10:19:13 AM com.microfocus.amapi.v1.resources.PolicyContainersAPI getPolicyContainers
INFO: Forbidden access
Nov 01, 2016 10:19:13 AM com.microfocus.am.server.services.HomeService getPolicyList
WARNING: Failed to query list of Policies.


Resolution

A few options exist:

a) Move all users needing access to the NAM dashboard to the o=novell container
b) moove all users needing access to another OU under o=novell. For example, create a new container ou=AdminUsers,o=novell and move the users in there.

The back end /adminui endpoint does not allow requests from the delegated administation container and although documented in the NAM 4.2 release notes – https://www.netiq.com/documentation/access-manager-42/accessmanager42-release-notes/data/accessmanager42-release-notes.html#b1hxqncf - it was not visible with 4.3 release notes as a known issue.