AdminUI returns error when creating Identity Mapping : Fatal: Failed to execute CreateIdentityMappingEvent. ERROR MESSAGE: SmApiWrappedException:Insufficient rights

Document ID : KB000007009
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We are using an external User Store (AD) to protect AdminUI, and delegating granular permissions to different admin accounts. Some of them have enabled the Mapping Administration (View & Manage) rights, however when creating an Identity Mapping we are getting the following error in AdminUI:

Fatal: Failed to execute CreateIdentityMappingEvent. ERROR MESSAGE: SmApiWrappedException:Insufficient rights. (create, CA.SM::IdentityMapping@67c6fdeb-3130-1014-a25d-843bdc4e0000(my_id_mapping))

When we try to create it with a superuser account (explicitly defined), then we can create it with no errors.

How can we create Identity Mapping with a specific administrator to avoid that error ?

 

 

Environment:
Policy Server R12.52 SP1 CR05AdminUI R12.52 SP1 CR05NOTE: This defect also affects Policy Server/Admin UI release 12.6 SP1.
Cause:

This error shows up because the SecCat.xdd file content (under <install path>\xps\dd\ folder) is missing the administration security classes for Identity Mapping.

Resolution:

To solve the issue, you have to upgrade the Policy Server 12.52 SP1 CR08, as the SecCat.xdd file has been updated to include the classes by default or you can directly modify the SecCat.xdd as shown below.  If you are using 12.6 SP1, you can also apply the fix manually.

To make the changes manually, apply the following lines to your current Policy Server SecCat.xdd version :

- Stop Policy Server if running
- Take a backup of the SecCat.xdd file (under \xps\dd\ folder)
- Add the following entries to SecCat.xdd under section Name=Mapping Administration, of SecurityCategory, after Class=CA.SM::AuthAzMap Entry

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMapping
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMappingEntry
RightsMask=63

- The entry in SecCat.xdd before adding above entries looks like below:

[SecurityCategory]
Name=Mapping Administration
Description=Administration of Directory Mapping objects
#ScopingClass=
#ScopeRequired=
#CopyScope=
PossibleRights=VMP
CopiedRights=VM

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthAzMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthValidateMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::CertMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::UserDirectory
RightsMask=56

- After Adding above suggested entries the section looks like below:

[SecurityCategory]
Name=Mapping Administration
Description=Administration of Directory Mapping objects
#ScopingClass=
#ScopeRequired=
#CopyScope=
PossibleRights=VMP
CopiedRights=VM

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthAzMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMapping
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::IdentityMappingEntry
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::AuthValidateMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::CertMap
RightsMask=63

[ClassCategory]
PARENT=!Mapping Administration
Class=CA.SM::UserDirectory
RightsMask=56

- Save changes, and go to the /xps/dd folder on the PS installation path (where the SecCat.xdd file is located)
- Run XPSDDInstall Seccat.xdd to import the changes into the Policy Store.
- Restart Policy Server.