Authorization failures for sendevent commands due to as-sendevent policy.

Document ID : KB000004474
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When attempting to use the new as-sendevent resource class, setting up a policy for anything other than All Resources and All Identities results in sendevent authorization failures.

Resolution:

Ensure the resource specified in the as-sendevent policy contains only the WAAE instance name or a single '*' and nothing else. That is the only information passed by WAAE as the resource for this type of authorization check. For example...

A sendevent -E STARTJOB is issued from instance ACE. The authorization check is sent with the resource set to 'ACE'. If the policy has the resource set to ACE.* as is standard for as-job policies, the authorization check will fail. The policy's resource should be either '*' or 'ACE' for the authorization check to pass.